[erlang-patches] ASN.1 Long Definite Length

Vance Shipley <>
Sun May 15 03:49:22 CEST 2011


The asn1_erl_driver driver does not perform adequate bounds
checking in the case where the length value of a TLV is a
Long Definite Length.  The following demonstrates the problem:

     Eshell V5.8.3  (abort with ^G)
     1> asn1rt_ber_bin_v2:decode(<<252,255,255,255,255,255,255,255>>, driver).
     Segmentation fault

The attached patch adds a test to determine if the calculated length
has overflowed the size of the variable used to store it.  With the
patch applied:

     Eshell V5.8.3  (abort with ^G)
     1> asn1rt_ber_bin_v2:decode(<<252,255,255,255,255,255,255,255>>, driver).
     ** exception exit: {error,{asn1,{"bad length field after byte:",5,
                                      <<"\374\377\377\377\377\377\377\377">>}}}
          in function  asn1rt_ber_bin_v2:handle_error/2

I will submit a full patch with a test suite if you'd like me to.

-- 
	-Vance


More information about the erlang-patches mailing list