Skip to content

Commit

Permalink
Fix Potential ASN1 Buffer Overflows in EnterContainer() and DecodeHead()
Browse files Browse the repository at this point in the history
  • Loading branch information
emargolis committed Jun 14, 2022
1 parent 8cbfd2f commit 4b6cf5e
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions src/lib/asn1/ASN1Reader.cpp
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/*
*
* Copyright (c) 2020-2021 Project CHIP Authors
* Copyright (c) 2020-2022 Project CHIP Authors
* Copyright (c) 2013-2017 Nest Labs, Inc.
* All rights reserved.
*
Expand Down Expand Up @@ -113,6 +113,8 @@ CHIP_ERROR ASN1Reader::EnterContainer(uint32_t offset)
mElemStart = Value + offset;
if (!IndefiniteLen)
{
VerifyOrReturnError(CanCastTo<uint32_t>(mBufEnd - Value), ASN1_ERROR_VALUE_OVERFLOW);
VerifyOrReturnError(static_cast<uint32_t>(mBufEnd - Value) >= ValueLen, ASN1_ERROR_VALUE_OVERFLOW);
mContainerEnd = Value + ValueLen;
}

Expand Down Expand Up @@ -303,8 +305,9 @@ CHIP_ERROR ASN1Reader::DecodeHead()
IndefiniteLen = false;
}

VerifyOrReturnError(CanCastTo<uint32_t>(mBufEnd - p), ASN1_ERROR_VALUE_OVERFLOW);
VerifyOrReturnError(static_cast<uint32_t>(mBufEnd - p) >= ValueLen, ASN1_ERROR_VALUE_OVERFLOW);
VerifyOrReturnError(CanCastTo<uint32_t>(p - mElemStart), ASN1_ERROR_VALUE_OVERFLOW);

mHeadLen = static_cast<uint32_t>(p - mElemStart);

EndOfContents = (Class == kASN1TagClass_Universal && Tag == 0 && !Constructed && ValueLen == 0);
Expand Down

0 comments on commit 4b6cf5e

Please sign in to comment.