Commit da53d0c
fix prevent buffer overflow in ASN_OCTET_STR index allocation
In register_index(), when generating sequential string indices from
'prev_idx_ptr', the code used a flawed algorithm that could lead to
buffer overflow by writing beyond the end of new_index->varbind->buf.
The loop condition relied on buf[i] without proper bounds checking,
and the fallback logic for growing the string wrote to buf[i+1]
without validating available space.
Rewrite the octet string increment logic to:
- Properly check array bounds using i >= 0
- Use memmove to shift string left when growing
- Validate buffer capacity before extending
- Update val_len correctly
Now returns NULL if buffer is full, preventing memor
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>1 parent 174b6cd commit da53d0c
1 file changed
Lines changed: 21 additions & 9 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
346 | 346 | | |
347 | 347 | | |
348 | 348 | | |
| 349 | + | |
349 | 350 | | |
350 | | - | |
| 351 | + | |
| 352 | + | |
351 | 353 | | |
352 | 354 | | |
353 | | - | |
354 | | - | |
355 | | - | |
356 | | - | |
| 355 | + | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
357 | 370 | | |
358 | 371 | | |
359 | | - | |
360 | | - | |
| 372 | + | |
361 | 373 | | |
362 | | - | |
363 | | - | |
| 374 | + | |
| 375 | + | |
364 | 376 | | |
365 | 377 | | |
366 | 378 | | |
| |||
0 commit comments