Bugfix: in asn1parse avoid erroneous len after a sub-sequence

Introduced in:

    commit 79c7f74d6cefd5d32fa20e69195ad3de834ce065
    Author: Ben Laurie <ben@links.org>
    Date:   Tue Mar 29 19:37:57 2016 +0100

    Fix buffer overrun in ASN1_parse().

Problem input:

    https://tools.ietf.org/html/draft-ietf-curdle-pkix-eddsa-00#section-8.1
    -----BEGIN PUBLIC KEY-----
    MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
    -----END PUBLIC KEY-----

Previously:

        0:d=0  hl=2 l=  45 cons: SEQUENCE
        2:d=1  hl=2 l=   8 cons: SEQUENCE
        4:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.100
        9:d=2  hl=2 l=   1 prim: ENUMERATED        :02
    Error in encoding
    140735164989440:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../openssl/crypto/asn1/asn1_lib.c:148:

Now:

    0:d=0  hl=2 l=  45 cons: SEQUENCE
    2:d=1  hl=2 l=   8 cons: SEQUENCE
    4:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.100
    9:d=2  hl=2 l=   1 prim: ENUMERATED        :02
   12:d=1  hl=2 l=  33 prim: BIT STRING
      0000 - 00 19 bf 44 09 69 84 cd-fe 85 41 ba c1 67 dc 3b   ...D.i....A..g.;
      0010 - 96 c8 50 86 aa 30 b6 b6-cb 0c 5c 38 ad 70 31 66   ..P..0....\8.p1f
      0020 - e1                                                .

Reviewed-by: Richard Levitte <levitte@openssl.org>

diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index b721273cf1757f32198ffc36bbc9af06366948a3..e41282094dec2ce80b4899c279e860e125bafd1b 100644 (file)
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -189,18 +189,19 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                     }
                 }
             } else {
+                long tmp = len;
+
                 while (p < ep) {
                     sp = p;
-                    r = asn1_parse2(bp, &p, len,
+                    r = asn1_parse2(bp, &p, tmp,
                                     offset + (p - *pp), depth + 1,
                                     indent, dump);
                     if (r == 0) {
                         ret = 0;
                         goto end;
                     }
-                    len -= p - sp;
+                    tmp -= p - sp;
                 }
-                len = length;
             }
         } else if (xclass != 0) {
             p += len;