From cbfc87569534f71c42afd9b1cf5854eb297c088f Mon Sep 17 00:00:00 2001
From: rob <>
Date: Sun, 12 May 2019 18:11:51 +0000
Subject: [PATCH] Fail early if a (universal) primitive type identifies as
 constructed, or if a boolean has a contents length other than 1.

ok claudio@
---
 src/lib/libutil/ber.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/lib/libutil/ber.c b/src/lib/libutil/ber.c
index 2d242f75..cbb56b57 100644
--- a/src/lib/libutil/ber.c
+++ b/src/lib/libutil/ber.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ber.c,v 1.3 2019/05/12 17:50:32 rob Exp $ */
+/*	$OpenBSD: ber.c,v 1.4 2019/05/12 18:11:51 rob Exp $ */
 
 /*
  * Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -1207,6 +1207,18 @@ ber_read_element(struct ber *ber, struct ber_element *elm)
 	DPRINTF("ber read element size %zd\n", len);
 	totlen += r + len;
 
+	/* The encoding of boolean, integer, enumerated, and null values
+	 * must be primitive. */
+	if (class == BER_CLASS_UNIVERSAL)
+		if (type == BER_TYPE_BOOLEAN ||
+		    type == BER_TYPE_INTEGER ||
+		    type == BER_TYPE_ENUMERATED ||
+		    type == BER_TYPE_NULL)
+			if (cstruct) {
+				errno = EINVAL;
+				return -1;
+			}
+
 	/* If the total size of the element is larger than the buffer
 	 * don't bother to continue. */
 	if (len > ber->br_rend - ber->br_rptr) {
@@ -1241,6 +1253,10 @@ ber_read_element(struct ber *ber, struct ber_element *elm)
 	case BER_TYPE_EOC:	/* End-Of-Content */
 		break;
 	case BER_TYPE_BOOLEAN:
+		if (len != 1) {
+			errno = EINVAL;
+			return -1;
+		}
 	case BER_TYPE_INTEGER:
 	case BER_TYPE_ENUMERATED:
 		if (len > (ssize_t)sizeof(long long))