From 99837f06c78dde81614bab9a3a58c005b004338d Mon Sep 17 00:00:00 2001
From: Adam Dickmeiss <adam@indexdata.dk>
Date: Mon, 20 Oct 2003 13:44:05 +0000
Subject: [PATCH] Prevent completeBER from returning 0 (PDU incomplete) on bad
 packages: it eats all memory until the process dies.

---
 odr/ber_any.c |   85 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
 odr/ber_len.c |   16 +++++++----
 2 files changed, 89 insertions(+), 12 deletions(-)

diff --git a/odr/ber_any.c b/odr/ber_any.c
index 6094f9a..376d121 100644
--- a/odr/ber_any.c
+++ b/odr/ber_any.c
@@ -2,12 +2,13 @@
  * Copyright (c) 1995-2003, Index Data
  * See the file LICENSE for details.
  *
- * $Id: ber_any.c,v 1.25 2003-05-20 17:22:54 adam Exp $
+ * $Id: ber_any.c,v 1.26 2003-10-20 13:44:05 adam Exp $
  */
 #if HAVE_CONFIG_H
 #include <config.h>
 #endif
 
+#include <assert.h>
 #include "odr-priv.h"
 
 int ber_any(ODR o, Odr_any **p)
@@ -35,41 +36,105 @@ int ber_any(ODR o, Odr_any **p)
     }
 }
 
+#define BER_ANY_DEBUG 0
+
 /*
  * Return length of BER-package or 0.
  */
-int completeBER(const unsigned char *buf, int len)
+int completeBER_n(const unsigned char *buf, int len, int level)
 {
     int res, ll, zclass, tag, cons;
     const unsigned char *b = buf;
+    int bad = 0;
     
+    if (len > 5000000 || level > 1000)
+    {
+	bad = 1;
+#if BER_ANY_DEBUG
+	yaz_log(LOG_LOG, "completeBER lev=%d len=%d", level, len);
+#endif
+	if (level > 1000)
+	    return -2;
+    }
     if (!len)
     	return 0;
     if (!buf[0] && !buf[1])
     	return 0;
     if ((res = ber_dectag(b, &zclass, &tag, &cons, len)) <= 0)
     	return 0;
+#if 0
+/* removed, since ber_dectag never reads that far .. */
     if (res > len)
     	return 0;
+#endif
     b += res;
     len -= res;
-    if ((res = ber_declen(b, &ll, len)) <= 0)
-    	return 0;
+    assert (len >= 0);
+    res = ber_declen(b, &ll, len);
+    if (res == -2)
+    {
+#if BER_ANY_DEBUG
+	if (bad)
+	    yaz_log(LOG_LOG, "<<<<<<<<< return1 lev=%d res=%d", level, res);
+#endif
+	return -1;  /* error */
+    }
+    if (res == -1)  
+    {
+#if BER_ANY_DEBUG
+	if (bad)
+	    yaz_log(LOG_LOG, "<<<<<<<<< return3 lev=%d res=-1", level);
+#endif
+	return 0;    /* incomplete length */
+    }
+    if (ll > 5000000)
+    {
+#if BER_ANY_DEBUG
+	if (bad)
+	    yaz_log(LOG_LOG, "<<<<<<<<< return2 lev=%d len=%d res=%d ll=%d",
+		    level, len, res, ll);
+#endif
+	return -1;  /* error */
+    }
+#if 0
+/* no longer necessary, since ber_declen never reads that far (returns -1) */
     if (res > len)
+    {
+	if (bad)
+	    yaz_log(LOG_LOG, "<<<<<<<<< return4 lev=%d res=%d len=%d",
+		    level, res, len);
     	return 0;
+    }
+#endif
     b += res;
     len -= res;
     if (ll >= 0)
+    {   /* definite length */
+#if BER_ANY_DEBUG
+	if (bad && len < ll)
+	    yaz_log(LOG_LOG, "<<<<<<<<< return5 lev=%d len=%d ll=%d",
+		    level, len, ll);
+#endif
     	return (len >= ll ? ll + (b-buf) : 0);
+    }
+    /* indefinite length */
     if (!cons)
-    	return 0;    
+    {   /* if primitive, it's an error */
+#if BER_ANY_DEBUG
+	yaz_log(LOG_LOG, "<<<<<<<<< return6 lev=%d ll=%d len=%d res=%d",
+		level, ll, len, res);
+#endif
+    	return -1;   /* error */
+    }
     /* constructed - cycle through children */
     while (len >= 2)
     {
 	if (*b == 0 && *(b + 1) == 0)
 	    break;
-	if (!(res = completeBER(b, len)))
+	if (!(res = completeBER_n(b, len, level+1)))
 	    return 0;
+	if (res == -1)
+	    return -1;
 	b += res;
 	len -= res;
     }
@@ -77,3 +142,11 @@ int completeBER(const unsigned char *buf, int len)
     	return 0;
     return (b - buf) + 2;
 }
+
+int completeBER(const unsigned char *buf, int len)
+{
+    int res = completeBER_n(buf, len, 0);
+    if (res < 0)
+	return len;
+    return res;
+}
diff --git a/odr/ber_len.c b/odr/ber_len.c
index b4fdba6..2c76765 100644
--- a/odr/ber_len.c
+++ b/odr/ber_len.c
@@ -3,7 +3,7 @@
  * See the file LICENSE for details.
  * Sebastian Hammer, Adam Dickmeiss
  *
- * $Id: ber_len.c,v 1.12 2003-03-11 11:03:31 adam Exp $
+ * $Id: ber_len.c,v 1.13 2003-10-20 13:44:05 adam Exp $
  */
 #if HAVE_CONFIG_H
 #include <config.h>
@@ -79,10 +79,14 @@ int ber_enclen(ODR o, int len, int lenlen, int exact)
 }
 
 /*
- * Decode BER length octets. Returns number of bytes read or -1 for error.
+ * Decode BER length octets. Returns 
+ *  > 0  : number of bytes read 
+ *   -1  : not enough room to read bytes within max bytes
+ *   -2  : other error
+ *
  * After return:
- * len = -1   indefinite.
- * len >= 0    Length.
+ * len = -1   indefinite length.
+ * len >= 0   definite length
  */
 int ber_declen(const unsigned char *buf, int *len, int max)
 {
@@ -108,7 +112,7 @@ int ber_declen(const unsigned char *buf, int *len, int max)
     	return 1;
     }
     if (*b == 0XFF)     /* reserved value */
-	return -1;
+	return -2;
     /* indefinite long form */ 
     n = *b & 0X7F;
     if (n >= max)
@@ -121,7 +125,7 @@ int ber_declen(const unsigned char *buf, int *len, int max)
     	*len |= *(b++);
     }
     if (*len < 0)
-        return -1;
+        return -2;
 #ifdef ODR_DEBUG
     fprintf(stderr, "[len=%d]", *len);
 #endif
-- 
1.7.10.4