ITS#2465 fix? ber_get_next must read at least sizeof(tag)+sizeof(len)

which should be at most 8 bytes. However if we read more than the minimum
message length, we have a problem because we steal bytes from any following
message, and there is no buffer mechanism to push back excess data.
The shortest legitimate message is Unbind at 7 bytes, but there shouldn't
be anything following it. Abandon at 8 bytes is next, so always requesting
at least 8 bytes should be safe. Always requesting 9 was a problem.

Please double-check these assumptions...

diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index 064d80e0ee6187504102dd1fb25f1b8e37d46fd7..c618d0b286591ff22f26743a9c3d0a61bbdca0af 100644 (file)
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -510,13 +510,13 @@ ber_get_next(
        }
 
        while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
-               (char *)&ber->ber_len + LENSIZE*2) {
+               (char *)&ber->ber_len + LENSIZE*2 -1) {
                ber_slen_t sblen;
                char buf[sizeof(ber->ber_len)-1];
                ber_len_t tlen = 0;
 
                sblen=ber_int_sb_read( sb, ber->ber_rwptr,
-                       ((char *)&ber->ber_len + LENSIZE*2)-ber->ber_rwptr);
+                       ((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
                if (sblen<=0) return LBER_DEFAULT;
                ber->ber_rwptr += sblen;