[erlang-patches] ASN.1 Long Definite Length
Vance Shipley
vances@REDACTED
Sun May 15 03:49:22 CEST 2011
The asn1_erl_driver driver does not perform adequate bounds
checking in the case where the length value of a TLV is a
Long Definite Length. The following demonstrates the problem:
Eshell V5.8.3 (abort with ^G)
1> asn1rt_ber_bin_v2:decode(<<252,255,255,255,255,255,255,255>>, driver).
Segmentation fault
The attached patch adds a test to determine if the calculated length
has overflowed the size of the variable used to store it. With the
patch applied:
Eshell V5.8.3 (abort with ^G)
1> asn1rt_ber_bin_v2:decode(<<252,255,255,255,255,255,255,255>>, driver).
** exception exit: {error,{asn1,{"bad length field after byte:",5,
<<"\374\377\377\377\377\377\377\377">>}}}
in function asn1rt_ber_bin_v2:handle_error/2
I will submit a full patch with a test suite if you'd like me to.
--
-Vance
More information about the erlang-patches
mailing list