From 7864e8e7cc8e1a2ce2989459d9af5d9072a31ab6 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 22 Sep 2019 07:54:57 +0200 Subject: [PATCH] der/asn1: reduce max depth limit to 32 OpenSSL uses 30, so this seems a reasonable limit. Set a smaller limit than before to reduce the resources spent on specially crafted input designed to be maximally expensive. --- src/util-decode-der.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/util-decode-der.c b/src/util-decode-der.c index 2bdb63fab2..dbde7643cc 100644 --- a/src/util-decode-der.c +++ b/src/util-decode-der.c @@ -130,6 +130,9 @@ static int Asn1SequenceAppend(Asn1Generic *seq, Asn1Generic *node) return 0; } +/* openssl has set a limit of 30, so stay close to that. */ +#define DER_MAX_RECURSION_DEPTH 32 + static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer, uint32_t max_size, uint8_t depth, int seq_index, uint32_t *errcode) @@ -143,7 +146,7 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer, uint8_t el_type; /* refuse excessive recursion */ - if (unlikely(depth == 255)) { + if (unlikely(depth >= DER_MAX_RECURSION_DEPTH)) { *errcode = ERR_DER_RECURSION_LIMIT; return NULL; }