From 158e5207a794603f5d64ffa95e0247c7808ab445 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 3 Sep 2015 14:27:19 +0100
Subject: Limit depth of ASN1 parse printing.

Thanks to Guido Vranken <guidovranken@gmail.com> for reporting this issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
---
 crypto/asn1/asn1_par.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'crypto/asn1/asn1_par.c')

diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index 9a370cd4bc..09dde15613 100644
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -62,6 +62,10 @@
 #include <openssl/objects.h>
 #include <openssl/asn1.h>
 
+#ifndef ASN1_PARSE_MAXDEPTH
+#define ASN1_PARSE_MAXDEPTH 128
+#endif
+
 static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
                            int indent);
 static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
@@ -123,6 +127,11 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
     /* ASN1_BMPSTRING *bmp=NULL; */
     int dump_indent;
 
+    if (depth > ASN1_PARSE_MAXDEPTH) {
+            BIO_puts(bp, "BAD RECURSION DEPTH\n");
+            goto end;
+    }
+
     dump_indent = 6;            /* Because we know BIO_dump_indent() */
     p = *pp;
     tot = p + length;
-- 
cgit v1.2.3