[openssl-users] Max size on ASN1_item_d2i_bio()?
Dr. Stephen Henson
steve at openssl.org
Fri Feb 20 22:24:08 UTC 2015
On Fri, Feb 20, 2015, Nathaniel McCallum wrote:
> I'd like to use ASN1_item_d2i_bio() (or something similar) to parse an
> incoming message. However, given that types like ASN1_OCTET_STRING
> have (essentially) unbounded length, how do I prevent an attacker from
> DOS'ing via OOM?
>
> Is there some way to set a max packet size?
>
No there isn't but if the input is in DER form you can peek the first few
bytes and get the tag+length fields to determine the size of the structure. If
the input uses indefinite length encoding that isn't possible however.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list