1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#include <ber_decoder.c>
#include <ber_tlv_length.c>
#include <ber_tlv_tag.c>
#include <der_encoder.c>
#include <xer_decoder.c>
#include <xer_support.c>
#include <per_support.c>
#include <constraints.c>
#undef ADVANCE
#undef RETURN
#undef LEFT
#include <OCTET_STRING.c>
uint8_t *buf;
size_t buf_size;
size_t buf_off;
static int
write_to_buf(const void *buffer, size_t size, void *key) {
(void)key;
if(buf_off + size > buf_size) {
size_t n = buf_size?:16;
while(n < buf_off + size) n <<= 2;
buf = realloc(buf, n);
assert(buf);
buf_size = n;
}
memcpy(buf + buf_off, buffer, size);
buf_off += size;
return 0;
}
static void
check(int size) {
OCTET_STRING_t *os;
OCTET_STRING_t *nos = 0;
asn_enc_rval_t erval;
asn_dec_rval_t rval;
int i;
os = OCTET_STRING_new_fromBuf(&asn_DEF_OCTET_STRING, 0, size);
assert(os);
assert(os->size == 0);
os->buf = malloc(size);
assert(os->buf);
os->size = size;
for(i = 0; i < size; i++) {
os->buf[i] = i;
}
buf_off = 0;
erval = der_encode(&asn_DEF_OCTET_STRING,
os, write_to_buf, 0);
assert(erval.encoded == buf_off);
assert(buf_off > size);
rval = ber_decode(0, &asn_DEF_OCTET_STRING, (void **)&nos, buf, buf_off);
assert(rval.code == RC_OK);
assert(rval.consumed == buf_off);
assert(os->size == nos->size);
for(i = 0; i < size; i++) {
assert(os->buf[i] == nos->buf[i]);
}
if(0) {
fprintf(stderr, "new(%d):", size);
for(i = 0; i < (buf_off<10?buf_off:10); i++)
fprintf(stderr, " %02x", buf[i]);
printf("\n");
}
asn_DEF_OCTET_STRING.free_struct(&asn_DEF_OCTET_STRING, os, 0);
asn_DEF_OCTET_STRING.free_struct(&asn_DEF_OCTET_STRING, nos, 0);
}
int
main() {
uint8_t buf1[] = { 0x85, 0x00, 0x01, 0x02, 0x03, 0x04 };
uint8_t buf2[] = { 0x85, 0x00, 0x7f, 0xff, 0x03, 0x04 };
uint8_t buf3[] = { 0x85, 0x00, 0x7f, 0xff, 0xff, 0x04 };
uint8_t buf4[] = { 0x89, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04 };
ber_tlv_len_t tlv_len;
ssize_t ret;
int i;
for(i = 0; i < 66000; i++) {
if(i == 4500) i = 64000; /* Jump */
check(i);
}
ret = ber_fetch_length(0, buf1, sizeof(buf1), &tlv_len);
printf("ret=%ld, len=%ld\n", (long)ret, (long)tlv_len);
assert(ret == sizeof(buf1));
assert(tlv_len == 0x01020304);
ret = ber_fetch_length(0, buf2, sizeof(buf2), &tlv_len);
printf("ret=%ld, len=%ld\n", (long)ret, (long)tlv_len);
assert(ret == sizeof(buf2));
assert(tlv_len == 0x7fff0304);
/*
* Here although tlv_len is not greater than 2^31,
* we ought to hit an embedded length exploitation preventive check.
*/
printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len));
if(sizeof(tlv_len) <= 4) {
ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len);
printf("ret=%ld\n", (long)ret);
printf("len=0x%x\n", (long)tlv_len);
assert(ret == -1);
}
if(sizeof(tlv_len) <= 8) {
ret = ber_fetch_length(0, buf4, sizeof(buf4), &tlv_len);
printf("ret=%lld\n", (long long)ret);
assert(ret == -1);
}
return 0;
}
|
