diff options
author | Lev Walkin <vlm@lionet.info> | 2006-07-13 12:01:26 +0000 |
---|---|---|
committer | Lev Walkin <vlm@lionet.info> | 2006-07-13 12:01:26 +0000 |
commit | 97c5cfc8c56da86c3482523136c183819e08370d (patch) | |
tree | 5e14df86b8d65900c6434b554c31c8e11784faf6 | |
parent | 1eded3544e880b2a2c9ee122ace2c64710d04981 (diff) |
finally got it right
-rw-r--r-- | skeletons/ber_tlv_length.c | 3 | ||||
-rw-r--r-- | skeletons/tests/check-length.c | 2 |
2 files changed, 4 insertions, 1 deletions
diff --git a/skeletons/ber_tlv_length.c b/skeletons/ber_tlv_length.c index 2baa1a10..5edd3524 100644 --- a/skeletons/ber_tlv_length.c +++ b/skeletons/ber_tlv_length.c @@ -51,6 +51,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size, } if(oct == 0) { + ber_tlv_len_t lenplusepsilon = len + 1024; /* * Here length may be very close or equal to 2G. * However, the arithmetics used in some decoders @@ -58,7 +59,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size, * to check the resulting value against some limits. * This may result in integer wrap-around. */ - if((len + 1024) < len - 1024) { + if(lenplusepsilon < 0) { /* Too large length value */ return -1; } diff --git a/skeletons/tests/check-length.c b/skeletons/tests/check-length.c index 6dfc7aee..312e0370 100644 --- a/skeletons/tests/check-length.c +++ b/skeletons/tests/check-length.c @@ -112,9 +112,11 @@ main() { * Here although tlv_len is not greater than 2^31, * we ought to hit an embedded length exploitation preventive check. */ + printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len)); if(sizeof(tlv_len) <= 4) { ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len); printf("ret=%ld\n", (long)ret); + printf("len=0x%x\n", (long)tlv_len); assert(ret == -1); } if(sizeof(tlv_len) <= 8) { |