| #include <stdio.h> |
| #include <assert.h> |
| |
| #include <asn_internal.h> |
| #include <ber_decoder.h> |
| #include <OCTET_STRING.h> |
| #include <ber_tlv_length.h> |
| #include <ber_tlv_tag.h> |
| |
| uint8_t *buf; |
| size_t buf_size; |
| size_t buf_off; |
| |
| static int |
| write_to_buf(const void *buffer, size_t size, void *key) { |
| (void)key; |
| |
| if(buf_off + size > buf_size) { |
| size_t n = buf_size?:16; |
| while(n < buf_off + size) n <<= 2; |
| buf = realloc(buf, n); |
| assert(buf); |
| buf_size = n; |
| } |
| |
| memcpy(buf + buf_off, buffer, size); |
| |
| buf_off += size; |
| return 0; |
| } |
| |
| |
| static void |
| check(size_t size) { |
| OCTET_STRING_t *os; |
| OCTET_STRING_t *nos = 0; |
| OCTET_STRING_t **nosp = &nos; |
| asn_enc_rval_t erval; |
| asn_dec_rval_t rval; |
| |
| os = OCTET_STRING_new_fromBuf(&asn_DEF_OCTET_STRING, 0, size); |
| assert(os); |
| assert(os->size == 0); |
| |
| os->buf = malloc(size); |
| assert(os->buf); |
| os->size = size; |
| |
| for(size_t i = 0; i < size; i++) { |
| os->buf[i] = i; |
| } |
| |
| buf_off = 0; |
| erval = der_encode(&asn_DEF_OCTET_STRING, |
| os, write_to_buf, 0); |
| assert(erval.encoded >= 0 && (size_t)erval.encoded == buf_off); |
| assert(buf_off > size); |
| |
| rval = ber_decode(0, &asn_DEF_OCTET_STRING, (void **)nosp, buf, buf_off); |
| assert(rval.code == RC_OK); |
| assert(rval.consumed == buf_off); |
| |
| assert(os->size == nos->size); |
| |
| for(size_t i = 0; i < size; i++) { |
| assert(os->buf[i] == nos->buf[i]); |
| } |
| |
| if(0) { |
| fprintf(stderr, "new(%zd):", size); |
| for(size_t i = 0; i < (buf_off<10?buf_off:10); i++) |
| fprintf(stderr, " %02x", buf[i]); |
| printf("\n"); |
| } |
| |
| |
| asn_DEF_OCTET_STRING.free_struct(&asn_DEF_OCTET_STRING, os, 0); |
| asn_DEF_OCTET_STRING.free_struct(&asn_DEF_OCTET_STRING, nos, 0); |
| } |
| |
| int |
| main() { |
| uint8_t buf1[] = { 0x85, 0x00, 0x01, 0x02, 0x03, 0x04 }; |
| uint8_t buf2[] = { 0x85, 0x00, 0x7f, 0xff, 0x03, 0x04 }; |
| uint8_t buf3[] = { 0x85, 0x00, 0x7f, 0xff, 0xff, 0x04 }; |
| uint8_t buf4[] = { 0x89, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04 }; |
| ber_tlv_len_t tlv_len; |
| ssize_t ret; |
| |
| for(size_t i = 0; i < 66000; i++) { |
| if(i == 4500) i = 64000; /* Jump */ |
| check(i); |
| } |
| |
| ret = ber_fetch_length(0, buf1, sizeof(buf1), &tlv_len); |
| printf("ret=%ld, len=%ld\n", (long)ret, (long)tlv_len); |
| assert(ret == sizeof(buf1)); |
| assert(tlv_len == 0x01020304); |
| |
| ret = ber_fetch_length(0, buf2, sizeof(buf2), &tlv_len); |
| printf("ret=%ld, len=%ld\n", (long)ret, (long)tlv_len); |
| assert(ret == sizeof(buf2)); |
| assert(tlv_len == 0x7fff0304); |
| |
| /* |
| * Here although tlv_len is not greater than 2^31, |
| * we ought to hit an embedded length exploitation preventive check. |
| */ |
| printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len)); |
| if(sizeof(tlv_len) <= 4) { |
| ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len); |
| printf("ret=%ld\n", (long)ret); |
| printf("len=0x%x\n", (unsigned int)tlv_len); |
| assert(ret == -1); |
| } |
| if(sizeof(tlv_len) <= 8) { |
| ret = ber_fetch_length(0, buf4, sizeof(buf4), &tlv_len); |
| printf("ret=%lld\n", (long long)ret); |
| assert(ret == -1); |
| } |
| |
| return 0; |
| } |