[openssl-users] Max size on ASN1_item_d2i_bio()?

Dr. Stephen Henson steve at openssl.org
Fri Feb 20 22:24:08 UTC 2015

On Fri, Feb 20, 2015, Nathaniel McCallum wrote:

> I'd like to use ASN1_item_d2i_bio() (or something similar) to parse an 
> incoming message. However, given that types like ASN1_OCTET_STRING 
> have (essentially) unbounded length, how do I prevent an attacker from 
> DOS'ing via OOM?
> Is there some way to set a max packet size?

No there isn't but if the input is in DER form you can peek the first few
bytes and get the tag+length fields to determine the size of the structure. If
the input uses indefinite length encoding that isn't possible however.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list