Changeset 52533 in vbox for trunk/src/VBox/Runtime/common/asn1

Timestamp:

Aug 29, 2014 10:51:39 PM (10 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

95788

Message:

ASN.1 decoding: limit nesting.

File:

• trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp (modified) (3 diffs)

trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp

@@ -40 +40 @@
 
 /*******************************************************************************
+*   Defined Constants And Macros                                               *
+*******************************************************************************/
+/** @def RTASN1_MAX_NESTING
+ * The maximum nesting depth we allow.  This limit is enforced to avoid running
+ * out of stack due to malformed ASN.1 input.
+ *
+ * For reference, 'RTSignTool verify-exe RTSignTool.exe', requires a value of 15
+ * to work without hitting the limit.
+ */
+#ifdef IN_RING3
+# define RTASN1_MAX_NESTING     64
+#else
+# define RTASN1_MAX_NESTING     32
+#endif
+
+
+/*******************************************************************************
 *   Global Variables                                                           *
 *******************************************************************************/
@@ -50 +67 @@
                                               const char *pszErrorTag)
 {
-    pPrimaryCursor->Cursor.pbCur        = (uint8_t const *)pvFirst;
-    pPrimaryCursor->Cursor.cbLeft       = cb;
-    pPrimaryCursor->Cursor.fFlags       = fFlags;
-    pPrimaryCursor->Cursor.pPrimary     = pPrimaryCursor;
-    pPrimaryCursor->Cursor.pUp          = NULL;
-    pPrimaryCursor->Cursor.pszErrorTag  = pszErrorTag;
-    pPrimaryCursor->pErrInfo            = pErrInfo;
-    pPrimaryCursor->pAllocator          = pAllocator;
+    pPrimaryCursor->Cursor.pbCur            = (uint8_t const *)pvFirst;
+    pPrimaryCursor->Cursor.cbLeft           = cb;
+    pPrimaryCursor->Cursor.fFlags           = fFlags;
+    pPrimaryCursor->Cursor.cDepth           = 0;
+    pPrimaryCursor->Cursor.abReserved[0]    = 0;
+    pPrimaryCursor->Cursor.abReserved[1]    = 0;
+    pPrimaryCursor->Cursor.pPrimary         = pPrimaryCursor;
+    pPrimaryCursor->Cursor.pUp              = NULL;
+    pPrimaryCursor->Cursor.pszErrorTag      = pszErrorTag;
+    pPrimaryCursor->pErrInfo                = pErrInfo;
+    pPrimaryCursor->pAllocator              = pAllocator;
     return &pPrimaryCursor->Cursor;
 }
 
 
-RTDECL(PRTASN1CURSOR) RTAsn1CursorInitSub(PRTASN1CURSOR pParent, uint32_t cb, PRTASN1CURSOR pChild, const char *pszErrorTag)
-{
-    Assert(pParent->pPrimary);
-    Assert(pParent->pbCur);
-
-    pChild->pbCur       = pParent->pbCur;
-    pChild->cbLeft      = cb;
-    pChild->fFlags      = pParent->fFlags;
-    pChild->pPrimary    = pParent->pPrimary;
-    pChild->pUp         = pParent;
-    pChild->pszErrorTag = pszErrorTag;
-
-    AssertRelease(pParent->cbLeft >= cb);
+RTDECL(int) RTAsn1CursorInitSub(PRTASN1CURSOR pParent, uint32_t cb, PRTASN1CURSOR pChild, const char *pszErrorTag)
+{
+    AssertReturn(pParent->pPrimary, VERR_ASN1_INTERNAL_ERROR_1);
+    AssertReturn(pParent->pbCur, VERR_ASN1_INTERNAL_ERROR_2);
+
+    pChild->pbCur           = pParent->pbCur;
+    pChild->cbLeft          = cb;
+    pChild->fFlags          = pParent->fFlags;
+    pChild->cDepth          = pParent->cDepth + 1;
+    AssertReturn(pChild->cDepth < RTASN1_MAX_NESTING, VERR_ASN1_TOO_DEEPLY_NESTED);
+    pChild->abReserved[0]   = 0;
+    pChild->abReserved[1]   = 0;
+    pChild->pPrimary        = pParent->pPrimary;
+    pChild->pUp             = pParent;
+    pChild->pszErrorTag     = pszErrorTag;
+
+    AssertReturn(pParent->cbLeft >= cb, VERR_ASN1_INTERNAL_ERROR_3);
     pParent->pbCur  += cb;
     pParent->cbLeft -= cb;
 
-    return pChild;
-}
-
-
-RTDECL(PRTASN1CURSOR) RTAsn1CursorInitSubFromCore(PRTASN1CURSOR pParent, PRTASN1CORE pAsn1Core,
-                                                  PRTASN1CURSOR pChild, const char *pszErrorTag)
-{
-    Assert(pParent->pPrimary);
-    Assert(pParent->pbCur);
-
-    pChild->pbCur       = pAsn1Core->uData.pu8;
-    pChild->cbLeft      = pAsn1Core->cb;
-    pChild->fFlags      = pParent->fFlags;
-    pChild->pPrimary    = pParent->pPrimary;
-    pChild->pUp         = pParent;
-    pChild->pszErrorTag = pszErrorTag;
-
-    return pChild;
+    return VINF_SUCCESS;
+}
+
+
+RTDECL(int) RTAsn1CursorInitSubFromCore(PRTASN1CURSOR pParent, PRTASN1CORE pAsn1Core,
+                                        PRTASN1CURSOR pChild, const char *pszErrorTag)
+{
+    AssertReturn(pParent->pPrimary, VERR_ASN1_INTERNAL_ERROR_1);
+    AssertReturn(pParent->pbCur, VERR_ASN1_INTERNAL_ERROR_2);
+
+    pChild->pbCur           = pAsn1Core->uData.pu8;
+    pChild->cbLeft          = pAsn1Core->cb;
+    pChild->fFlags          = pParent->fFlags;
+    pChild->cDepth          = pParent->cDepth + 1;
+    AssertReturn(pChild->cDepth < RTASN1_MAX_NESTING, VERR_ASN1_TOO_DEEPLY_NESTED);
+    pChild->abReserved[0]   = 0;
+    pChild->abReserved[1]   = 0;
+    pChild->pPrimary        = pParent->pPrimary;
+    pChild->pUp             = pParent;
+    pChild->pszErrorTag     = pszErrorTag;
+
+    return VINF_SUCCESS;
 }
 
@@ -357 +385 @@
                                        "%s: Unexpected %s type/flags: %#x/%#x (expected %#x/%#x)",
                                        pszErrorTag, pszWhat, pAsn1Core->uTag, pAsn1Core->fClass, uTag, fClass);
-        RTAsn1CursorInitSub(pCursor, pAsn1Core->cb, pRetCursor, pszErrorTag);
-        pAsn1Core->fFlags |= RTASN1CORE_F_PRIMITE_TAG_STRUCT;
-        return VINF_SUCCESS;
+        rc = RTAsn1CursorInitSub(pCursor, pAsn1Core->cb, pRetCursor, pszErrorTag);
+        if (RT_SUCCESS(rc))
+        {
+            pAsn1Core->fFlags |= RTASN1CORE_F_PRIMITE_TAG_STRUCT;
+            return VINF_SUCCESS;
+        }
     }
     return rc;