ソースを参照

[crypto] Allow for zero-length ASN.1 cursors

The assumption in asn1_type() that an ASN.1 cursor will always contain
a type byte is incorrect.  A cursor that has been cleanly invalidated
via asn1_invalidate_cursor() will contain a type byte, but there are
other ways in which to arrive at a zero-length cursor.

Fix by explicitly checking the cursor length in asn1_type().  This
allows asn1_invalidate_cursor() to be reduced to simply zeroing the
length field.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 8年前
コミット
5a6ed90a00
2個のファイルの変更14行の追加14行の削除
  1. 0
    12
      src/crypto/asn1.c
  2. 14
    2
      src/include/ipxe/asn1.h

+ 0
- 12
src/crypto/asn1.c ファイルの表示

@@ -81,18 +81,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
81 81
 #define EINFO_ENOTTY_ALGORITHM \
82 82
 	__einfo_uniqify ( EINFO_ENOTTY, 0x01, "Inappropriate algorithm" )
83 83
 
84
-/**
85
- * Invalidate ASN.1 object cursor
86
- *
87
- * @v cursor		ASN.1 object cursor
88
- */
89
-void asn1_invalidate_cursor ( struct asn1_cursor *cursor ) {
90
-	static uint8_t asn1_invalid_object[] = { ASN1_END, 0 };
91
-
92
-	cursor->data = asn1_invalid_object;
93
-	cursor->len = 0;
94
-}
95
-
96 84
 /**
97 85
  * Start parsing ASN.1 object
98 86
  *

+ 14
- 2
src/include/ipxe/asn1.h ファイルの表示

@@ -314,15 +314,27 @@ struct asn1_bit_string {
314 314
 	unsigned int unused;
315 315
 } __attribute__ (( packed ));
316 316
 
317
+/**
318
+ * Invalidate ASN.1 object cursor
319
+ *
320
+ * @v cursor		ASN.1 object cursor
321
+ */
322
+static inline __attribute__ (( always_inline )) void
323
+asn1_invalidate_cursor ( struct asn1_cursor *cursor ) {
324
+	cursor->len = 0;
325
+}
326
+
317 327
 /**
318 328
  * Extract ASN.1 type
319 329
  *
320 330
  * @v cursor		ASN.1 object cursor
321
- * @ret type		Type
331
+ * @ret type		Type, or ASN1_END if cursor is invalid
322 332
  */
323 333
 static inline __attribute__ (( always_inline )) unsigned int
324 334
 asn1_type ( const struct asn1_cursor *cursor ) {
325
-	return ( *( ( const uint8_t * ) cursor->data ) );
335
+	const uint8_t *type = cursor->data;
336
+
337
+	return ( ( cursor->len >= sizeof ( *type ) ) ? *type : ASN1_END );
326 338
 }
327 339
 
328 340
 extern void asn1_invalidate_cursor ( struct asn1_cursor *cursor );

読み込み中…
キャンセル
保存