]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ace1738)
encoding/asn1: fix off-by-one in parseBase128Int.
authorDavid Benjamin <davidben@google.com>
Tue, 5 Jan 2016 00:16:28 +0000 (16:16 -0800)
committerRuss Cox <rsc@golang.org>
Wed, 6 Jan 2016 01:41:27 +0000 (01:41 +0000)
parseBase128Int compares |shifted| with four, seemingly to ensure the result
fits in an int32 on 32-bit platforms where int is 32-bit. However, there is an
off-by-one in this logic, so it actually allows five shifts, making the maximum
tag number or OID component 2^35-1.

Fix this so the maximum is 2^28-1 which should be plenty for OID components and
tag numbers while not overflowing on 32-bit platforms.

Change-Id: If825b30cc53a0fc08e68ea1a24d265e7eb1a13a4
Reviewed-on: https://go-review.googlesource.com/18225
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
src/encoding/asn1/asn1.go patch | blob | history
src/encoding/asn1/asn1_test.go patch | blob | history

diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go
index 0070ea82a77a00614fda6278806adb2b00f0d9b3..8bafefd52bb463dde5ae5e9c85216d8916a9ee0d 100644 (file)
--- a/src/encoding/asn1/asn1.go
+++ b/src/encoding/asn1/asn1.go
@@ -294,7 +294,7 @@ type Flag bool
 func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {
        offset = initOffset
        for shifted := 0; offset < len(bytes); shifted++ {
-               if shifted > 4 {
+               if shifted == 4 {
                        err = StructuralError{"base 128 integer too large"}
                        return
                }
diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go
index 509a2cb25e35b6010adc59c39ef3800e1bacbb38..e0e833123b155ff838ad01438c3285cd61730fdc 100644 (file)
--- a/src/encoding/asn1/asn1_test.go
+++ b/src/encoding/asn1/asn1_test.go
@@ -380,6 +380,8 @@ var tagAndLengthData = []tagAndLengthTest{
        {[]byte{0xa0, 0x84, 0x80, 0x00, 0x00, 0x00}, false, tagAndLength{}},
        // Long length form may not be used for lengths that fit in short form.
        {[]byte{0xa0, 0x81, 0x7f}, false, tagAndLength{}},
+       // Tag numbers which would overflow int32 are rejected. (The value below is 2^31.)
+       {[]byte{0x1f, 0x88, 0x80, 0x80, 0x80, 0x00, 0x00}, false, tagAndLength{}},
 }
 
 func TestParseTagAndLength(t *testing.T) {
Go GOST TLS 1.3