common: Protect against a theoretical integer overflow in tlv.c

* common/tlv.c (parse_ber_header): Protect agains integer overflow. -- Although there is no concrete case where we use the (nhdr + length), it is better to protect against this already here.
author: Werner Koch <[email protected]> 2022-10-07 12:12:33 +0000
committer: Werner Koch <[email protected]> 2022-10-07 12:21:20 +0000
commit: c300253181cfc591cbcae9251eda5296ed29591b (patch)
tree: c057b777933104fe842d1bfa7b3949b8c0a46aeb
parent: dirmngr: Support paged LDAP mode for KS_GET (diff)
download: gnupg-c300253181cfc591cbcae9251eda5296ed29591b.tar.gz
gnupg-c300253181cfc591cbcae9251eda5296ed29591b.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/common/tlv.c b/common/tlv.c
index abef83a37..9618d04cb 100644
--- a/common/tlv.c
+++ b/common/tlv.c
@@ -222,6 +222,11 @@ parse_ber_header (unsigned char const **buffer, size_t *size,
       *r_length = len;
     }
 
+  if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length)
+    {
+      return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
+    }
+
   /* Without this kludge some example certs can't be parsed. */
   if (*r_class == CLASS_UNIVERSAL && !*r_tag)
     *r_length = 0;
author	Werner Koch <[email protected]>	2022-10-07 12:12:33 +0000
committer	Werner Koch <[email protected]>	2022-10-07 12:21:20 +0000
commit	c300253181cfc591cbcae9251eda5296ed29591b (patch)
tree	c057b777933104fe842d1bfa7b3949b8c0a46aeb
parent	dirmngr: Support paged LDAP mode for KS_GET (diff)
download	gnupg-c300253181cfc591cbcae9251eda5296ed29591b.tar.gz gnupg-c300253181cfc591cbcae9251eda5296ed29591b.zip