From 97c5cfc8c56da86c3482523136c183819e08370d Mon Sep 17 00:00:00 2001 From: Lev Walkin Date: Thu, 13 Jul 2006 12:01:26 +0000 Subject: finally got it right --- skeletons/ber_tlv_length.c | 3 ++- skeletons/tests/check-length.c | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/skeletons/ber_tlv_length.c b/skeletons/ber_tlv_length.c index 2baa1a10..5edd3524 100644 --- a/skeletons/ber_tlv_length.c +++ b/skeletons/ber_tlv_length.c @@ -51,6 +51,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size, } if(oct == 0) { + ber_tlv_len_t lenplusepsilon = len + 1024; /* * Here length may be very close or equal to 2G. * However, the arithmetics used in some decoders @@ -58,7 +59,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size, * to check the resulting value against some limits. * This may result in integer wrap-around. */ - if((len + 1024) < len - 1024) { + if(lenplusepsilon < 0) { /* Too large length value */ return -1; } diff --git a/skeletons/tests/check-length.c b/skeletons/tests/check-length.c index 6dfc7aee..312e0370 100644 --- a/skeletons/tests/check-length.c +++ b/skeletons/tests/check-length.c @@ -112,9 +112,11 @@ main() { * Here although tlv_len is not greater than 2^31, * we ought to hit an embedded length exploitation preventive check. */ + printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len)); if(sizeof(tlv_len) <= 4) { ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len); printf("ret=%ld\n", (long)ret); + printf("len=0x%x\n", (long)tlv_len); assert(ret == -1); } if(sizeof(tlv_len) <= 8) { -- cgit v1.2.3