X-Git-Url: https://git.stg.codes/stg.git/blobdiff_plain/46b0747592074017ff0ea4b33d4a7194235886e5..2574a28cbf000603bc31f61593dbf061ff56c1d5:/libs/smux/ber_tlv_length.c?ds=sidebyside diff --git a/libs/smux/ber_tlv_length.c b/libs/smux/ber_tlv_length.c index 32aa5e54..cfd46723 100644 --- a/libs/smux/ber_tlv_length.c +++ b/libs/smux/ber_tlv_length.c @@ -40,28 +40,18 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size, for(len = 0, buf++, skipped = 1; oct && (++skipped <= size); buf++, oct--) { - len = (len << 8) | *buf; - if(len < 0 - || (len >> ((8 * sizeof(len)) - 8) && oct > 1)) { - /* - * Too large length value. - */ + /* Verify that we won't overflow. */ + if(!(len >> ((8 * sizeof(len)) - (8+1)))) { + len = (len << 8) | *buf; + } else { + /* Too large length value. */ return -1; } } if(oct == 0) { - ber_tlv_len_t lenplusepsilon = (size_t)len + 1024; - /* - * Here length may be very close or equal to 2G. - * However, the arithmetics used in some decoders - * may add some (small) quantities to the length, - * to check the resulting value against some limits. - * This may result in integer wrap-around, which - * we try to avoid by checking it earlier here. - */ - if(lenplusepsilon < 0) { - /* Too large length value */ + if(len < 0 || len > RSSIZE_MAX) { + /* Length value out of sane range. */ return -1; } @@ -75,16 +65,17 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size, } ssize_t -ber_skip_length(asn_codec_ctx_t *opt_codec_ctx, +ber_skip_length(const asn_codec_ctx_t *opt_codec_ctx, int _is_constructed, const void *ptr, size_t size) { ber_tlv_len_t vlen; /* Length of V in TLV */ + ssize_t tl; /* Length of L in TLV */ ssize_t ll; /* Length of L in TLV */ size_t skip; /* * Make sure we didn't exceed the maximum stack size. */ - if(_ASN_STACK_OVERFLOW_CHECK(opt_codec_ctx)) + if(ASN__STACK_OVERFLOW_CHECK(opt_codec_ctx)) return -1; /* @@ -111,7 +102,7 @@ ber_skip_length(asn_codec_ctx_t *opt_codec_ctx, ber_tlv_tag_t tag; /* Fetch the tag */ - ssize_t tl = ber_fetch_tag(ptr, size, &tag); + tl = ber_fetch_tag(ptr, size, &tag); if(tl <= 0) return tl; ll = ber_skip_length(opt_codec_ctx, @@ -142,7 +133,7 @@ der_tlv_length_serialize(ber_tlv_len_t len, void *bufp, size_t size) { size_t required_size; /* Size of len encoding */ uint8_t *buf = (uint8_t *)bufp; uint8_t *end; - size_t i; + int i; if(len <= 127) { /* Encoded in 1 octet */ @@ -153,7 +144,7 @@ der_tlv_length_serialize(ber_tlv_len_t len, void *bufp, size_t size) { /* * Compute the size of the subsequent bytes. */ - for(required_size = 1, i = 8; i < 8 * sizeof(len); i += 8) { + for(required_size = 1, i = 8; i < 8 * (int)sizeof(len); i += 8) { if(len >> i) required_size++; else