aboutsummaryrefslogtreecommitdiff
path: root/crypto/objects/obj_dat.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/objects/obj_dat.c')
-rw-r--r--crypto/objects/obj_dat.c21
1 files changed, 20 insertions, 1 deletions
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 01cde00e98b7..1a52000e6e9d 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
first = 1;
bl = NULL;
+ /*
+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
+ *
+ * > 3.5. OBJECT IDENTIFIER values
+ * >
+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
+ * > numbers. For the SMIv2, each number in the list is referred to as a
+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
+ * > decimal).
+ *
+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
+ * i.e. 586 bytes long.
+ *
+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
+ */
+ if (len > 586)
+ goto err;
+
while (len > 0) {
l = 0;
use_bn = 0;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-09 03:50:56 +0000