Limit ASN.1 constructed types recursive definition depth

# define ASN1_R_MSTRING_NOT_UNIVERSAL                     139

# define ASN1_R_MSTRING_WRONG_TAG                         140

# define ASN1_R_NESTED_ASN1_STRING                        197

# define ASN1_R_NESTED_TOO_DEEP                           219

# define ASN1_R_NON_HEX_CHARACTERS                        141

# define ASN1_R_NOT_ASCII_FORMAT                          190

# define ASN1_R_NOT_ENOUGH_DATA                           142

/* crypto/asn1/asn1_err.c */

/* ====================================================================

 * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1999-2018 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

    {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"},

    {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"},

    {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"},

    {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"},

    {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"},

    {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"},

    {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"},

#include <openssl/buffer.h>

#include <openssl/err.h>

/*

 * Constructed types with a recursive definition (such as can be found in PKCS7)

 * could eventually exceed the stack given malicious input with excessive

 * recursion. Therefore we limit the stack depth. This is the maximum number of

 * recursive invocations of asn1_item_embed_d2i().

 */

#define ASN1_MAX_CONSTRUCTED_NEST 30

static int asn1_check_eoc(const unsigned char **in, long len);

static int asn1_find_end(const unsigned char **in, long len, char inf);

static int asn1_template_ex_d2i(ASN1_VALUE **pval,

                                const unsigned char **in, long len,

                                const ASN1_TEMPLATE *tt, char opt,

                                ASN1_TLC *ctx);

                                ASN1_TLC *ctx, int depth);

static int asn1_template_noexp_d2i(ASN1_VALUE **val,

                                   const unsigned char **in, long len,

                                   const ASN1_TEMPLATE *tt, char opt,

                                   ASN1_TLC *ctx);

                                   ASN1_TLC *ctx, int depth);

static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,

                                 const unsigned char **in, long len,

                                 const ASN1_ITEM *it,

{

    ASN1_TLC c;

    asn1_tlc_clear_nc(&c);

    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);

    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0);

}

/*

 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and

 * tag mismatch return -1 to handle OPTIONAL

 */

int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,

                     const ASN1_ITEM *it,

                     int tag, int aclass, char opt, ASN1_TLC *ctx)

static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,

                            long len, const ASN1_ITEM *it, int tag, int aclass,

                            char opt, ASN1_TLC *ctx, int depth)

{

    const ASN1_TEMPLATE *tt, *errtt = NULL;

    const ASN1_COMPAT_FUNCS *cf;

    else

        asn1_cb = 0;

    if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {

        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP);

        goto err;

    }

    switch (it->itype) {

    case ASN1_ITYPE_PRIMITIVE:

        if (it->templates) {

                goto err;

            }

            return asn1_template_ex_d2i(pval, in, len,

                                        it->templates, opt, ctx);

                                        it->templates, opt, ctx, depth);

        }

        return asn1_d2i_ex_primitive(pval, in, len, it,

                                     tag, aclass, opt, ctx);

            /*

             * We mark field as OPTIONAL so its absence can be recognised.

             */

            ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);

            ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);

            /* If field not present, try the next one */

            if (ret == -1)

                continue;

             * attempt to read in field, allowing each to be OPTIONAL

             */

            ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);

            ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,

                                       depth);

            if (!ret) {

                errtt = seqtt;

                goto err;

    return 0;

}

int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,

                     const ASN1_ITEM *it,

                     int tag, int aclass, char opt, ASN1_TLC *ctx)

{

    return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);

}

/*

 * Templates are handled with two separate functions. One handles any

 * EXPLICIT tag and the other handles the rest.

static int asn1_template_ex_d2i(ASN1_VALUE **val,

                                const unsigned char **in, long inlen,

                                const ASN1_TEMPLATE *tt, char opt,

                                ASN1_TLC *ctx)

                                ASN1_TLC *ctx, int depth)

{

    int flags, aclass;

    int ret;

            return 0;

        }

        /* We've found the field so it can't be OPTIONAL now */

        ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);

        ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);

        if (!ret) {

            ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);

            return 0;

            }

        }

    } else

        return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);

        return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);

    *in = p;

    return 1;

static int asn1_template_noexp_d2i(ASN1_VALUE **val,

                                   const unsigned char **in, long len,

                                   const ASN1_TEMPLATE *tt, char opt,

                                   ASN1_TLC *ctx)

                                   ASN1_TLC *ctx, int depth)

{

    int flags, aclass;

    int ret;

                break;

            }

            skfield = NULL;

            if (!ASN1_item_ex_d2i(&skfield, &p, len,

                                  ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {

            if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),

                                  -1, 0, 0, ctx, depth)) {

                ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,

                        ERR_R_NESTED_ASN1_ERROR);

                goto err;

        }

    } else if (flags & ASN1_TFLG_IMPTAG) {

        /* IMPLICIT tagging */

        ret = ASN1_item_ex_d2i(val, &p, len,

                               ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,

                               ctx);

        ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,

                               aclass, opt, ctx, depth);

        if (!ret) {

            ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);

            goto err;

            return -1;

    } else {

        /* Nothing special */

        ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),

                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);

        ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),

                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,

                               depth);

        if (!ret) {

            ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);

            goto err;