ITS#5010: OID encode/decode fixes and paranoia. #define LBER_OID_COMPONENT_MAX.

diff --git a/libraries/liblber/decode.c b/libraries/liblber/decode.c
index 82027d658fb76de9a02bf57e55251ef9d726214b..3c2c780e3a2e05d0220900fbb065337564be4350 100644 (file)
--- a/libraries/liblber/decode.c
+++ b/libraries/liblber/decode.c
@@ -49,32 +49,44 @@ static ber_len_t ber_getnint LDAP_P((
 int
 ber_decode_oid( BerValue *in, BerValue *out )
 {
-       unsigned char *der = (unsigned char *) in->bv_val;
-       unsigned long val, val1;
-       int i, len;
+       const unsigned char *der;
+       unsigned long val;
+       unsigned val1;
+       ber_len_t i;
        char *ptr;
 
        assert( in != NULL );
        assert( out != NULL );
 
-       /* expands by 5/2, and we add dots - call it 3 */
-       if ( !out->bv_val || out->bv_len < in->bv_len * 3 )
+       /* need 4 chars/inbyte + \0 for input={7f 7f 7f...} */
+       if ( !out->bv_val || (out->bv_len+3)/4 <= in->bv_len )
                return -1;
 
-       val1 = der[0] / 40;
-       val = der[0] - val1 * 40;
-
-       len = sprintf( out->bv_val, "%ld.%ld", val1, val );
-       ptr = out->bv_val + len;
+       ptr = NULL;
+       der = (unsigned char *) in->bv_val;
        val = 0;
-       for ( i=1; i<in->bv_len; i++ ) {
-               val = val << 7;
+       for ( i=0; i < in->bv_len; i++ ) {
                val |= der[i] & 0x7f;
                if ( !( der[i] & 0x80 )) {
-                       ptr += sprintf( ptr, ".%ld", val );
+                       if ( ptr == NULL ) {
+                               /* Initial "x.y": val=x*40+y, x<=2, y<40 if x=2 */
+                               ptr = out->bv_val;
+                               val1 = (val < 80 ? val/40 : 2);
+                               val -= val1*40;
+                               ptr += sprintf( ptr, "%u", val1 );
+                       }
+                       ptr += sprintf( ptr, ".%lu", val );
                        val = 0;
+               } else if ( val - 1UL < LBER_OID_COMPONENT_MAX >> 7 ) {
+                       val <<= 7;
+               } else {
+                       /* val would overflow, or is 0 from invalid initial 0x80 octet */
+                       return -1;
                }
        }
+       if ( ptr == NULL || val != 0 )
+               return -1;
+
        out->bv_len = ptr - out->bv_val;
        return 0;
 }

diff --git a/libraries/liblber/encode.c b/libraries/liblber/encode.c
index 9edbf66d44ae6c324b12f17d296a6db70910f81e..9b20518ba363b34b0818ca414917a090fa5c5e97 100644 (file)
--- a/libraries/liblber/encode.c
+++ b/libraries/liblber/encode.c
@@ -30,6 +30,7 @@
 
 #include "portable.h"
 
+#include <ctype.h>
 #include <stdio.h>
 
 #include <ac/stdlib.h>
@@ -181,59 +182,55 @@ ber_put_len( BerElement *ber, ber_len_t len, int nosos )
 int
 ber_encode_oid( BerValue *in, BerValue *out )
 {
-       unsigned char *der = (unsigned char *) out->bv_val;
-       unsigned long val, val1;
-       int i, len;
+       unsigned char *der;
+       unsigned long val1, val;
+       int i, j, len;
        char *ptr, *end, *inend;
 
        assert( in != NULL );
        assert( out != NULL );
 
-       if ( !out->bv_val || out->bv_len < in->bv_len )
+       if ( !out->bv_val || out->bv_len < in->bv_len/2 )
                return -1;
 
-       /* OIDs must have at least two components */
-       if ( sscanf( in->bv_val, "%ld.%ld", &val, &val1 ) != 2 )
-               return -1;
-
-       val *= 40;
-       val += val1;
-
-       inend = in->bv_val + in->bv_len;
+       der = (unsigned char *) out->bv_val;
+       ptr = in->bv_val;
+       inend = ptr + in->bv_len;
 
-       ptr = strchr( in->bv_val, '.' );
-       ptr = strchr( ptr+1, '.' );
-       if ( ptr )
-               ++ptr;
-       else
-               ptr = inend;
+       /* OIDs start with <0-1>.<0-39> or 2.<any>, DER-encoded 40*val1+val2 */
+       if ( !isdigit( (unsigned char) *ptr )) return -1;
+       val1 = strtoul( ptr, &end, 10 );
+       if ( end == ptr || val1 > 2 ) return -1;
+       if ( *end++ != '.' || !isdigit( (unsigned char) *end )) return -1;
+       val = strtoul( end, &ptr, 10 );
+       if ( ptr == end ) return -1;
+       if ( val > (val1 < 2 ? 39 : LBER_OID_COMPONENT_MAX - 80) ) return -1;
+       val += val1 * 40;
 
        for (;;) {
-               if ( !val ) {
-                       *der++ = 0;
-               } else {
-                       int hibit = 0;
-                       i = sizeof(unsigned long) + 1;
-                       len = i;
-                       for (;val;) {
-                               i--;
-                               val1 = val & 0x7f;
-                               val >>= 7;
-                               der[i] = val1 | hibit;
-                               hibit = 0x80;
-                       }
-                       if ( i ) {
-                               len -= i;
-                               AC_MEMCPY( der, der+i, len );
-                       }
-                       der += len;
+               if ( ptr > inend ) return -1;
+
+               len = 0;
+               do {
+                       der[len++] = (val & 0xff) | 0x80;
+               } while ( (val >>= 7) != 0 );
+               der[0] &= 0x7f;
+               for ( i = 0, j = len; i < --j; i++ ) {
+                       unsigned char tmp = der[i];
+                       der[i] = der[j];
+                       der[j] = tmp;
                }
-               if ( ptr >= inend ) break;
-               val = strtol( ptr, &end, 10 );
-               if ( ptr == end ) break;
-               if ( *end && *end != '.' ) break;
-               ptr = end + 1;
+               der += len;
+               if ( ptr == inend )
+                       break;
+
+               if ( *ptr++ != '.' ) return -1;
+               if ( !isdigit( (unsigned char) *ptr )) return -1;
+               val = strtoul( ptr, &end, 10 );
+               if ( end == ptr || val > LBER_OID_COMPONENT_MAX ) return -1;
+               ptr = end;
        }
+
        out->bv_len = (char *)der - out->bv_val;
        return 0;
 }

diff --git a/libraries/liblber/lber-int.h b/libraries/liblber/lber-int.h
index 9870f3bdda976d51d45b54102bb78522c4ebb2e9..24d0dac0929240e9097793d32c29b334fc439590 100644 (file)
--- a/libraries/liblber/lber-int.h
+++ b/libraries/liblber/lber-int.h
@@ -120,6 +120,14 @@ struct seqorset {
 };
 
 
+/*
+ * decode.c, encode.c
+ */
+
+/* Simplest OID max-DER-component to implement in both decode and encode */
+#define LBER_OID_COMPONENT_MAX ((unsigned long)-1 - 128)
+
+
 /*
  * io.c
  */