Commit a818b6e8 authored by Mouse's avatar Mouse

Fixed issue vlm#285 asn_oid_arc_t overflow

parent ab8eec97
...@@ -115,10 +115,14 @@ OBJECT_IDENTIFIER_get_single_arc(const uint8_t *arcbuf, size_t arcbuf_len, ...@@ -115,10 +115,14 @@ OBJECT_IDENTIFIER_get_single_arc(const uint8_t *arcbuf, size_t arcbuf_len,
return 0; return 0;
} else { } else {
asn_oid_arc_t accum; asn_oid_arc_t accum;
asn_oid_arc_t upper_limit = (ASN_OID_ARC_MAX >> 7);
/* When the value reaches "upper_limit", it can take */
/* at most one more digit. If it exceeds "upper_limit" */
/* but there are more digits - it's an Overflow condition */
/* Gather all bits into the accumulator */ /* Gather all bits into the accumulator */
for(accum = 0; b < arcend; b++) { for(accum = 0; b < arcend; b++) {
accum = (accum << 7) | (*b & ~0x80); accum = (accum << 7) | (*b & ~0x80);
if((*b & 0x80) == 0) { if((*b & 0x80) == 0) { // no more digits
if(accum <= ASN_OID_ARC_MAX) { if(accum <= ASN_OID_ARC_MAX) {
*ret_value = accum; *ret_value = accum;
return 1 + (b - arcbuf); return 1 + (b - arcbuf);
...@@ -126,6 +130,11 @@ OBJECT_IDENTIFIER_get_single_arc(const uint8_t *arcbuf, size_t arcbuf_len, ...@@ -126,6 +130,11 @@ OBJECT_IDENTIFIER_get_single_arc(const uint8_t *arcbuf, size_t arcbuf_len,
errno = ERANGE; /* Overflow */ errno = ERANGE; /* Overflow */
return -1; return -1;
} }
} else { // to make sure we aren't wrapping around
if(accum > upper_limit) {
errno = ERANGE; /* Overflow */
return -1;
}
} }
} }
errno = EINVAL; errno = EINVAL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment