diff options
author | David Benjamin <davidben@google.com> | 2016-01-04 16:16:28 -0800 |
---|---|---|
committer | Russ Cox <rsc@golang.org> | 2016-01-06 01:41:27 +0000 |
commit | 7f96e266ec684943acfc1164a18d2cf005e03ef6 (patch) | |
tree | 2407d2b25c3a66f48ae54a7d336049b8d54872ec /src/encoding/asn1 | |
parent | ace1738f9c1ad3d351c49cb9ca0811334a24585f (diff) | |
download | go-7f96e266ec684943acfc1164a18d2cf005e03ef6.tar.gz go-7f96e266ec684943acfc1164a18d2cf005e03ef6.zip |
encoding/asn1: fix off-by-one in parseBase128Int.
parseBase128Int compares |shifted| with four, seemingly to ensure the result
fits in an int32 on 32-bit platforms where int is 32-bit. However, there is an
off-by-one in this logic, so it actually allows five shifts, making the maximum
tag number or OID component 2^35-1.
Fix this so the maximum is 2^28-1 which should be plenty for OID components and
tag numbers while not overflowing on 32-bit platforms.
Change-Id: If825b30cc53a0fc08e68ea1a24d265e7eb1a13a4
Reviewed-on: https://go-review.googlesource.com/18225
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Diffstat (limited to 'src/encoding/asn1')
-rw-r--r-- | src/encoding/asn1/asn1.go | 2 | ||||
-rw-r--r-- | src/encoding/asn1/asn1_test.go | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go index 0070ea82a7..8bafefd52b 100644 --- a/src/encoding/asn1/asn1.go +++ b/src/encoding/asn1/asn1.go @@ -294,7 +294,7 @@ type Flag bool func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) { offset = initOffset for shifted := 0; offset < len(bytes); shifted++ { - if shifted > 4 { + if shifted == 4 { err = StructuralError{"base 128 integer too large"} return } diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go index 509a2cb25e..e0e833123b 100644 --- a/src/encoding/asn1/asn1_test.go +++ b/src/encoding/asn1/asn1_test.go @@ -380,6 +380,8 @@ var tagAndLengthData = []tagAndLengthTest{ {[]byte{0xa0, 0x84, 0x80, 0x00, 0x00, 0x00}, false, tagAndLength{}}, // Long length form may not be used for lengths that fit in short form. {[]byte{0xa0, 0x81, 0x7f}, false, tagAndLength{}}, + // Tag numbers which would overflow int32 are rejected. (The value below is 2^31.) + {[]byte{0x1f, 0x88, 0x80, 0x80, 0x80, 0x00, 0x00}, false, tagAndLength{}}, } func TestParseTagAndLength(t *testing.T) { |