From 261f15a1465b48e8baa7ebfdbc34fb11aa3e0fb9 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 2 Feb 2018 11:17:23 +0100
Subject: [PATCH] der: fix recursion depth not being handled correctly

In a mix of sequences the 'depth reached' error would not
be fully propagated.

Found with AFL.
---
 src/app-layer-tls-handshake.c | 1 +
 src/util-decode-der.c         | 1 +
 src/util-decode-der.h         | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c
index 6c3226f2d5..4a27dadec1 100644
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@@ -58,6 +58,7 @@ static void TLSCertificateErrCodeToWarning(SSLState *ssl_state,
     switch (errcode) {
         case ERR_DER_ELEMENT_SIZE_TOO_BIG:
         case ERR_DER_INVALID_SIZE:
+        case ERR_DER_RECURSION_LIMIT:
             SSLSetEvent(ssl_state,
                     TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH);
             break;
diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 2b699268c2..cf9a9b1ab5 100644
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -144,6 +144,7 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer,
 
     /* refuse excessive recursion */
     if (unlikely(depth == 255)) {
+        *errcode = ERR_DER_RECURSION_LIMIT;
         return NULL;
     }
 
diff --git a/src/util-decode-der.h b/src/util-decode-der.h
index e216c7ae7a..9710f68c98 100644
--- a/src/util-decode-der.h
+++ b/src/util-decode-der.h
@@ -90,6 +90,8 @@ typedef struct Asn1Generic_ {
 #define ERR_DER_UNSUPPORTED_STRING    0x05
 /* Missing field or element */
 #define ERR_DER_MISSING_ELEMENT       0x06
+/* Generic error */
+#define ERR_DER_RECURSION_LIMIT       0x07
 
 Asn1Generic * DecodeDer(const unsigned char *buffer, uint32_t size, uint32_t *errcode) __attribute__((nonnull));
 void DerFree(Asn1Generic *a);