Reinstate the check for invalid length BIT STRINGS,

which was effectively bypassed in the ASN1 changed.
2002-08-23 00:02:11 +00:00 · 2002-08-23 00:02:11 +00:00 · 41ab00bedf
commit 41ab00bedf
parent fc85ac20c7
2 changed files with 9 additions and 3 deletions
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@ -120,6 +120,12 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	unsigned char *p,*s;
 	int i;

+	if (len < 1)
+		{
+		i=ASN1_R_STRING_TOO_SHORT;
+		goto err;
+		}
+
 	if ((a == NULL) || ((*a) == NULL))
 		{
 		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@ -913,10 +913,10 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *i
 			ctx->ptag = ptag;
 			ctx->hdrlen = p - q;
 			ctx->valid = 1;
-			/* If definite length, length + header can't exceed total
-			 * amount of data available.
+			/* If definite length, and no error, length +
+			 * header can't exceed total amount of data available. 
 			 */
-			if(!(i & 1) && ((plen + ctx->hdrlen) > len)) {
+			if(!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
 				ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
 				asn1_tlc_clear(ctx);
 				return 0;