ITS#5010: OID encode/decode fixes and paranoia. #define LBER_OID_COMPONENT_MAX.

2025-01-06 10:46:21 +08:00 · 2007-07-23 12:57:23 +00:00 · 2007-07-23 12:57:23 +00:00 · 17afb33c19
commit 17afb33c19
parent b236aba403
3 changed files with 71 additions and 54 deletions
--- a/libraries/liblber/decode.c
+++ b/libraries/liblber/decode.c
@ -49,32 +49,44 @@ static ber_len_t ber_getnint LDAP_P((
 int
 ber_decode_oid( BerValue *in, BerValue *out )
 {
-	unsigned char *der = (unsigned char *) in->bv_val;
-	unsigned long val, val1;
-	int i, len;
+	const unsigned char *der;
+	unsigned long val;
+	unsigned val1;
+	ber_len_t i;
 	char *ptr;

 	assert( in != NULL );
 	assert( out != NULL );

-	/* expands by 5/2, and we add dots - call it 3 */
-	if ( !out->bv_val || out->bv_len < in->bv_len * 3 )
+	/* need 4 chars/inbyte + \0 for input={7f 7f 7f...} */
+	if ( !out->bv_val || (out->bv_len+3)/4 <= in->bv_len )
 		return -1;

-	val1 = der[0] / 40;
-	val = der[0] - val1 * 40;
-
-	len = sprintf( out->bv_val, "%ld.%ld", val1, val );
-	ptr = out->bv_val + len;
+	ptr = NULL;
+	der = (unsigned char *) in->bv_val;
 	val = 0;
-	for ( i=1; i<in->bv_len; i++ ) {
-		val = val << 7;
+	for ( i=0; i < in->bv_len; i++ ) {
 		val |= der[i] & 0x7f;
 		if ( !( der[i] & 0x80 )) {
-			ptr += sprintf( ptr, ".%ld", val );
+			if ( ptr == NULL ) {
+				/* Initial "x.y": val=x*40+y, x<=2, y<40 if x=2 */
+				ptr = out->bv_val;
+				val1 = (val < 80 ? val/40 : 2);
+				val -= val1*40;
+				ptr += sprintf( ptr, "%u", val1 );
+			}
+			ptr += sprintf( ptr, ".%lu", val );
 			val = 0;
+		} else if ( val - 1UL < LBER_OID_COMPONENT_MAX >> 7 ) {
+			val <<= 7;
+		} else {
+			/* val would overflow, or is 0 from invalid initial 0x80 octet */
+			return -1;
 		}
 	}
+	if ( ptr == NULL || val != 0 )
+		return -1;
+
 	out->bv_len = ptr - out->bv_val;
 	return 0;
 }
--- a/libraries/liblber/encode.c
+++ b/libraries/liblber/encode.c
@ -30,6 +30,7 @@

 #include "portable.h"

+#include <ctype.h>
 #include <stdio.h>

 #include <ac/stdlib.h>
@ -181,59 +182,55 @@ ber_put_len( BerElement *ber, ber_len_t len, int nosos )
 int
 ber_encode_oid( BerValue *in, BerValue *out )
 {
-	unsigned char *der = (unsigned char *) out->bv_val;
-	unsigned long val, val1;
-	int i, len;
+	unsigned char *der;
+	unsigned long val1, val;
+	int i, j, len;
 	char *ptr, *end, *inend;

 	assert( in != NULL );
 	assert( out != NULL );

-	if ( !out->bv_val || out->bv_len < in->bv_len )
+	if ( !out->bv_val || out->bv_len < in->bv_len/2 )
 		return -1;

-	/* OIDs must have at least two components */
-	if ( sscanf( in->bv_val, "%ld.%ld", &val, &val1 ) != 2 )
-		return -1;
+	der = (unsigned char *) out->bv_val;
+	ptr = in->bv_val;
+	inend = ptr + in->bv_len;

-	val *= 40;
-	val += val1;
-
-	inend = in->bv_val + in->bv_len;
-
-	ptr = strchr( in->bv_val, '.' );
-	ptr = strchr( ptr+1, '.' );
-	if ( ptr )
-		++ptr;
-	else
-		ptr = inend;
+	/* OIDs start with <0-1>.<0-39> or 2.<any>, DER-encoded 40*val1+val2 */
+	if ( !isdigit( (unsigned char) *ptr )) return -1;
+	val1 = strtoul( ptr, &end, 10 );
+	if ( end == ptr || val1 > 2 ) return -1;
+	if ( *end++ != '.' || !isdigit( (unsigned char) *end )) return -1;
+	val = strtoul( end, &ptr, 10 );
+	if ( ptr == end ) return -1;
+	if ( val > (val1 < 2 ? 39 : LBER_OID_COMPONENT_MAX - 80) ) return -1;
+	val += val1 * 40;

 	for (;;) {
-		if ( !val ) {
-			*der++ = 0;
-		} else {
-			int hibit = 0;
-			i = sizeof(unsigned long) + 1;
-			len = i;
-			for (;val;) {
-				i--;
-				val1 = val & 0x7f;
-				val >>= 7;
-				der[i] = val1 | hibit;
-				hibit = 0x80;
-			}
-			if ( i ) {
-				len -= i;
-				AC_MEMCPY( der, der+i, len );
-			}
-			der += len;
+		if ( ptr > inend ) return -1;
+
+		len = 0;
+		do {
+			der[len++] = (val & 0xff) | 0x80;
+		} while ( (val >>= 7) != 0 );
+		der[0] &= 0x7f;
+		for ( i = 0, j = len; i < --j; i++ ) {
+			unsigned char tmp = der[i];
+			der[i] = der[j];
+			der[j] = tmp;
 		}
-		if ( ptr >= inend ) break;
-		val = strtol( ptr, &end, 10 );
-		if ( ptr == end ) break;
-		if ( *end && *end != '.' ) break;
-		ptr = end + 1;
+		der += len;
+		if ( ptr == inend )
+			break;
+
+		if ( *ptr++ != '.' ) return -1;
+		if ( !isdigit( (unsigned char) *ptr )) return -1;
+		val = strtoul( ptr, &end, 10 );
+		if ( end == ptr || val > LBER_OID_COMPONENT_MAX ) return -1;
+		ptr = end;
 	}
+
 	out->bv_len = (char *)der - out->bv_val;
 	return 0;
 }
--- a/libraries/liblber/lber-int.h
+++ b/libraries/liblber/lber-int.h
@ -120,6 +120,14 @@ struct seqorset {
 };


+/*
+ * decode.c, encode.c
+ */
+
+/* Simplest OID max-DER-component to implement in both decode and encode */
+#define LBER_OID_COMPONENT_MAX ((unsigned long)-1 - 128)
+
+
 /*
 * io.c
 */