Fix possible read access beyond the buffer.
authorWerner Koch <wk@gnupg.org>
Tue, 3 May 2016 12:10:04 +0000 (14:10 +0200)
committerWerner Koch <wk@gnupg.org>
Tue, 3 May 2016 12:10:04 +0000 (14:10 +0200)
commita7eed17a0b2a1c09ef986f3b4b323cd31cea2b64
treef5d5b255e177c643e76251a28e394391c92e1a01
parent3d968bbffc3a0acda890e342fbbfa5b34a26085e
Fix possible read access beyond the buffer.

* src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check.
* src/cert.c (ksba_cert_get_cert_policies): Check TLV given length
against buffer length.
(ksba_cert_get_ext_key_usages): Ditto.
* src/ocsp.c (parse_asntime_into_isotime): Ditto.
--

The returned length of the object from _ksba_ber_parse_tl (ti.length)
was not always checked against the actual buffer length, thus leading
to a read access after the end of the buffer and thus a segv.

GnuPG-bug-id: 2344
Reported-by: Pascal Cuoq
Signed-off-by: Werner Koch <wk@gnupg.org>
src/ber-help.c
src/cert.c
src/name.c
src/ocsp.c