[erlang-patches] ASN.1 Long Definite Length

Vance Shipley vances@REDACTED
Mon May 16 05:59:33 CEST 2011


While looking into this problem I believe I have spotted another
small bug.  The while loop will result in memory beyond the end
of the input buffer being read.  The attached patch to the existing
file corrects this.

On Sun, May 15, 2011 at 07:19:20AM +0530, Vance Shipley wrote:
}  The asn1_erl_driver driver does not perform adequate bounds
}  checking in the case where the length value of a TLV is a
}  Long Definite Length.

-- 
	-Vance
-------------- next part --------------
--- lib/asn1/c_src/asn1_erl_driver.c
+++ lib/asn1/c_src/asn1_erl_driver.c
@@ -1294,7 +1294,7 @@
      printf("decode_value,lenoflen:%d\r\n",lenoflen);
 #endif
     len = 0;
-    while (lenoflen-- && (*ib_index <= in_buf_len)) {
+    while (lenoflen-- && (*ib_index < in_buf_len)) {
       (*ib_index)++;
 #ifdef ASN1_DEBUG
        printf("decode_value1:ii=%d.\r\n",*ib_index);


More information about the erlang-patches mailing list