truckman 610c8f37ed Fix Coverity CIDs 1340544 Resource leak and 1340543 Use after free
At line 479 of ldapclient.c in client_build_req(), the error return
leaks ldap_attrs (CID 1340544).  It looks like this can happen if
the first utoa() call in aldap_get_stringset() fails.  It looks
like other leaks can happen if other utoa() calls fail since scanning
this array when it is freed stops when the first NULL is encountered.
Fix these problems by not storing NULL in the array when utoa()
fails, and by freeing ret and returning NULL if nothing is stored
in the array.  That way the caller will never see the
ldap_attrs[0] == NULL case, so delete that check.

The ber_printf_element() calls ber_free_elements() on its ber
argument and returns NULL on failure.  When each of its callers
detects failure, they do a goto fail, which then calls ber_free_elements()
with the same pointer (CID 1340543).  Fix is to delete the
ber_free_elements() from ber_printf_element()

Reported by:	Coverity
CID:		1340543, 1340544
Reviewed by:	araujo
Differential Revision:	https://reviews.freebsd.org/D6550
2016-05-25 01:37:25 +00:00

1277 lines
26 KiB
C

/* $OpenBSD: ber.c,v 1.9 2015/02/12 00:30:38 pelikan Exp $ */
/* $FreeBSD$ */
/*
* Copyright (c) 2007 Reyk Floeter <reyk@vantronix.net>
* Copyright (c) 2006, 2007 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2006, 2007 Marc Balmer <mbalmer@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <sys/types.h>
#include <errno.h>
#include <limits.h>
#include <stdlib.h>
#include <err.h> /* XXX for debug output */
#include <stdio.h> /* XXX for debug output */
#include <string.h>
#include <unistd.h>
#include <stdarg.h>
#include "ber.h"
#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
#define BER_TYPE_CONSTRUCTED 0x20 /* otherwise primitive */
#define BER_TYPE_SINGLE_MAX 30
#define BER_TAG_MASK 0x1f
#define BER_TAG_MORE 0x80 /* more subsequent octets */
#define BER_TAG_TYPE_MASK 0x7f
#define BER_CLASS_SHIFT 6
static int ber_dump_element(struct ber *ber, struct ber_element *root);
static void ber_dump_header(struct ber *ber, struct ber_element *root);
static void ber_putc(struct ber *ber, u_char c);
static void ber_write(struct ber *ber, void *buf, size_t len);
static ssize_t get_id(struct ber *b, unsigned long *tag, int *class,
int *cstruct);
static ssize_t get_len(struct ber *b, ssize_t *len);
static ssize_t ber_read_element(struct ber *ber, struct ber_element *elm);
static ssize_t ber_readbuf(struct ber *b, void *buf, size_t nbytes);
static ssize_t ber_getc(struct ber *b, u_char *c);
static ssize_t ber_read(struct ber *ber, void *buf, size_t len);
#ifdef DEBUG
#define DPRINTF(...) printf(__VA_ARGS__)
#else
#define DPRINTF(...) do { } while (0)
#endif
struct ber_element *
ber_get_element(unsigned long encoding)
{
struct ber_element *elm;
if ((elm = calloc(1, sizeof(*elm))) == NULL)
return NULL;
elm->be_encoding = encoding;
ber_set_header(elm, BER_CLASS_UNIVERSAL, BER_TYPE_DEFAULT);
return elm;
}
void
ber_set_header(struct ber_element *elm, int class, unsigned long type)
{
elm->be_class = class & BER_CLASS_MASK;
if (type == BER_TYPE_DEFAULT)
type = elm->be_encoding;
elm->be_type = type;
}
void
ber_link_elements(struct ber_element *prev, struct ber_element *elm)
{
if (prev != NULL) {
if ((prev->be_encoding == BER_TYPE_SEQUENCE ||
prev->be_encoding == BER_TYPE_SET) &&
prev->be_sub == NULL)
prev->be_sub = elm;
else
prev->be_next = elm;
}
}
struct ber_element *
ber_unlink_elements(struct ber_element *prev)
{
struct ber_element *elm;
if ((prev->be_encoding == BER_TYPE_SEQUENCE ||
prev->be_encoding == BER_TYPE_SET) &&
prev->be_sub != NULL) {
elm = prev->be_sub;
prev->be_sub = NULL;
} else {
elm = prev->be_next;
prev->be_next = NULL;
}
return (elm);
}
void
ber_replace_elements(struct ber_element *prev, struct ber_element *new)
{
struct ber_element *ber, *next;
ber = ber_unlink_elements(prev);
next = ber_unlink_elements(ber);
ber_link_elements(new, next);
ber_link_elements(prev, new);
/* cleanup old element */
ber_free_elements(ber);
}
struct ber_element *
ber_add_sequence(struct ber_element *prev)
{
struct ber_element *elm;
if ((elm = ber_get_element(BER_TYPE_SEQUENCE)) == NULL)
return NULL;
ber_link_elements(prev, elm);
return elm;
}
struct ber_element *
ber_add_set(struct ber_element *prev)
{
struct ber_element *elm;
if ((elm = ber_get_element(BER_TYPE_SET)) == NULL)
return NULL;
ber_link_elements(prev, elm);
return elm;
}
struct ber_element *
ber_add_enumerated(struct ber_element *prev, long long val)
{
struct ber_element *elm;
u_int i, len = 0;
u_char cur, last = 0;
if ((elm = ber_get_element(BER_TYPE_ENUMERATED)) == NULL)
return NULL;
elm->be_numeric = val;
for (i = 0; i < sizeof(long long); i++) {
cur = val & 0xff;
if (cur != 0 && cur != 0xff)
len = i;
if ((cur == 0 && last & 0x80) ||
(cur == 0xff && (last & 0x80) == 0))
len = i;
val >>= 8;
last = cur;
}
elm->be_len = len + 1;
ber_link_elements(prev, elm);
return elm;
}
struct ber_element *
ber_add_integer(struct ber_element *prev, long long val)
{
struct ber_element *elm;
u_int i, len = 0;
u_char cur, last = 0;
if ((elm = ber_get_element(BER_TYPE_INTEGER)) == NULL)
return NULL;
elm->be_numeric = val;
for (i = 0; i < sizeof(long long); i++) {
cur = val & 0xff;
if (cur != 0 && cur != 0xff)
len = i;
if ((cur == 0 && last & 0x80) ||
(cur == 0xff && (last & 0x80) == 0))
len = i;
val >>= 8;
last = cur;
}
elm->be_len = len + 1;
ber_link_elements(prev, elm);
return elm;
}
int
ber_get_integer(struct ber_element *elm, long long *n)
{
if (elm->be_encoding != BER_TYPE_INTEGER)
return -1;
*n = elm->be_numeric;
return 0;
}
int
ber_get_enumerated(struct ber_element *elm, long long *n)
{
if (elm->be_encoding != BER_TYPE_ENUMERATED)
return -1;
*n = elm->be_numeric;
return 0;
}
struct ber_element *
ber_add_boolean(struct ber_element *prev, int bool)
{
struct ber_element *elm;
if ((elm = ber_get_element(BER_TYPE_BOOLEAN)) == NULL)
return NULL;
elm->be_numeric = bool ? 0xff : 0;
elm->be_len = 1;
ber_link_elements(prev, elm);
return elm;
}
int
ber_get_boolean(struct ber_element *elm, int *b)
{
if (elm->be_encoding != BER_TYPE_BOOLEAN)
return -1;
*b = !(elm->be_numeric == 0);
return 0;
}
struct ber_element *
ber_add_string(struct ber_element *prev, const char *string)
{
return ber_add_nstring(prev, string, strlen(string));
}
struct ber_element *
ber_add_nstring(struct ber_element *prev, const char *string0, size_t len)
{
struct ber_element *elm;
char *string;
if ((string = calloc(1, len)) == NULL)
return NULL;
if ((elm = ber_get_element(BER_TYPE_OCTETSTRING)) == NULL) {
free(string);
return NULL;
}
bcopy(string0, string, len);
elm->be_val = string;
elm->be_len = len;
elm->be_free = 1; /* free string on cleanup */
ber_link_elements(prev, elm);
return elm;
}
int
ber_get_string(struct ber_element *elm, char **s)
{
if (elm->be_encoding != BER_TYPE_OCTETSTRING)
return -1;
*s = elm->be_val;
return 0;
}
int
ber_get_nstring(struct ber_element *elm, void **p, size_t *len)
{
if (elm->be_encoding != BER_TYPE_OCTETSTRING)
return -1;
*p = elm->be_val;
*len = elm->be_len;
return 0;
}
struct ber_element *
ber_add_bitstring(struct ber_element *prev, const void *v0, size_t len)
{
struct ber_element *elm;
void *v;
if ((v = calloc(1, len)) == NULL)
return NULL;
if ((elm = ber_get_element(BER_TYPE_BITSTRING)) == NULL) {
free(v);
return NULL;
}
bcopy(v0, v, len);
elm->be_val = v;
elm->be_len = len;
elm->be_free = 1; /* free string on cleanup */
ber_link_elements(prev, elm);
return elm;
}
int
ber_get_bitstring(struct ber_element *elm, void **v, size_t *len)
{
if (elm->be_encoding != BER_TYPE_BITSTRING)
return -1;
*v = elm->be_val;
*len = elm->be_len;
return 0;
}
struct ber_element *
ber_add_null(struct ber_element *prev)
{
struct ber_element *elm;
if ((elm = ber_get_element(BER_TYPE_NULL)) == NULL)
return NULL;
ber_link_elements(prev, elm);
return elm;
}
int
ber_get_null(struct ber_element *elm)
{
if (elm->be_encoding != BER_TYPE_NULL)
return -1;
return 0;
}
struct ber_element *
ber_add_eoc(struct ber_element *prev)
{
struct ber_element *elm;
if ((elm = ber_get_element(BER_TYPE_EOC)) == NULL)
return NULL;
ber_link_elements(prev, elm);
return elm;
}
int
ber_get_eoc(struct ber_element *elm)
{
if (elm->be_encoding != BER_TYPE_EOC)
return -1;
return 0;
}
size_t
ber_oid2ber(struct ber_oid *o, u_int8_t *buf, size_t len)
{
u_int32_t v;
u_int i, j = 0, k;
if (o->bo_n < BER_MIN_OID_LEN || o->bo_n > BER_MAX_OID_LEN ||
o->bo_id[0] > 2 || o->bo_id[1] > 40)
return (0);
v = (o->bo_id[0] * 40) + o->bo_id[1];
for (i = 2, j = 0; i <= o->bo_n; v = o->bo_id[i], i++) {
for (k = 28; k >= 7; k -= 7) {
if (v >= (u_int)(1 << k)) {
if (len)
buf[j] = v >> k | BER_TAG_MORE;
j++;
}
}
if (len)
buf[j] = v & BER_TAG_TYPE_MASK;
j++;
}
return (j);
}
int
ber_string2oid(const char *oidstr, struct ber_oid *o)
{
char *sp, *p, str[BUFSIZ];
const char *errstr;
if (strlcpy(str, oidstr, sizeof(str)) >= sizeof(str))
return (-1);
bzero(o, sizeof(*o));
/* Parse OID strings in the common forms n.n.n, n_n_n_n, or n-n-n */
for (p = sp = str; p != NULL; sp = p) {
if ((p = strpbrk(p, "._-")) != NULL)
*p++ = '\0';
o->bo_id[o->bo_n++] = strtonum(sp, 0, UINT_MAX, &errstr);
if (errstr || o->bo_n > BER_MAX_OID_LEN)
return (-1);
}
return (0);
}
struct ber_element *
ber_add_oid(struct ber_element *prev, struct ber_oid *o)
{
struct ber_element *elm;
u_int8_t *buf;
size_t len;
if ((elm = ber_get_element(BER_TYPE_OBJECT)) == NULL)
return (NULL);
if ((len = ber_oid2ber(o, NULL, 0)) == 0)
goto fail;
if ((buf = calloc(1, len)) == NULL)
goto fail;
elm->be_val = buf;
elm->be_len = len;
elm->be_free = 1;
if (ber_oid2ber(o, buf, len) != len)
goto fail;
ber_link_elements(prev, elm);
return (elm);
fail:
ber_free_elements(elm);
return (NULL);
}
struct ber_element *
ber_add_noid(struct ber_element *prev, struct ber_oid *o, int n)
{
struct ber_oid no;
if (n > BER_MAX_OID_LEN)
return (NULL);
no.bo_n = n;
bcopy(&o->bo_id, &no.bo_id, sizeof(no.bo_id));
return (ber_add_oid(prev, &no));
}
struct ber_element *
ber_add_oidstring(struct ber_element *prev, const char *oidstr)
{
struct ber_oid o;
if (ber_string2oid(oidstr, &o) == -1)
return (NULL);
return (ber_add_oid(prev, &o));
}
int
ber_get_oid(struct ber_element *elm, struct ber_oid *o)
{
u_int8_t *buf;
size_t len, i = 0, j = 0;
if (elm->be_encoding != BER_TYPE_OBJECT)
return (-1);
buf = elm->be_val;
len = elm->be_len;
if (!buf[i])
return (-1);
bzero(o, sizeof(*o));
o->bo_id[j++] = buf[i] / 40;
o->bo_id[j++] = buf[i++] % 40;
for (; i < len && j < BER_MAX_OID_LEN; i++) {
o->bo_id[j] = (o->bo_id[j] << 7) + (buf[i] & ~0x80);
if (buf[i] & 0x80)
continue;
j++;
}
o->bo_n = j;
return (0);
}
struct ber_element *
ber_printf_elements(struct ber_element *ber, char *fmt, ...)
{
va_list ap;
int d, class;
size_t len;
unsigned long type;
long long i;
char *s;
void *p;
struct ber_oid *o;
struct ber_element *sub = ber, *e;
va_start(ap, fmt);
while (*fmt) {
switch (*fmt++) {
case 'B':
p = va_arg(ap, void *);
len = va_arg(ap, size_t);
if ((ber = ber_add_bitstring(ber, p, len)) == NULL)
goto fail;
break;
case 'b':
d = va_arg(ap, int);
if ((ber = ber_add_boolean(ber, d)) == NULL)
goto fail;
break;
case 'd':
d = va_arg(ap, int);
if ((ber = ber_add_integer(ber, d)) == NULL)
goto fail;
break;
case 'e':
e = va_arg(ap, struct ber_element *);
ber_link_elements(ber, e);
break;
case 'E':
i = va_arg(ap, long long);
if ((ber = ber_add_enumerated(ber, i)) == NULL)
goto fail;
break;
case 'i':
i = va_arg(ap, long long);
if ((ber = ber_add_integer(ber, i)) == NULL)
goto fail;
break;
case 'O':
o = va_arg(ap, struct ber_oid *);
if ((ber = ber_add_oid(ber, o)) == NULL)
goto fail;
break;
case 'o':
s = va_arg(ap, char *);
if ((ber = ber_add_oidstring(ber, s)) == NULL)
goto fail;
break;
case 's':
s = va_arg(ap, char *);
if ((ber = ber_add_string(ber, s)) == NULL)
goto fail;
break;
case 't':
class = va_arg(ap, int);
type = va_arg(ap, unsigned long);
ber_set_header(ber, class, type);
break;
case 'x':
s = va_arg(ap, char *);
len = va_arg(ap, size_t);
if ((ber = ber_add_nstring(ber, s, len)) == NULL)
goto fail;
break;
case '0':
if ((ber = ber_add_null(ber)) == NULL)
goto fail;
break;
case '{':
if ((ber = sub = ber_add_sequence(ber)) == NULL)
goto fail;
break;
case '(':
if ((ber = sub = ber_add_set(ber)) == NULL)
goto fail;
break;
case '}':
case ')':
ber = sub;
break;
case '.':
if ((e = ber_add_eoc(ber)) == NULL)
goto fail;
ber = e;
break;
default:
break;
}
}
va_end(ap);
return (ber);
fail:
return (NULL);
}
int
ber_scanf_elements(struct ber_element *ber, char *fmt, ...)
{
#define _MAX_SEQ 128
va_list ap;
int *d, level = -1;
unsigned long *t;
long long *i;
void **ptr;
size_t *len, ret = 0, n = strlen(fmt);
char **s;
struct ber_oid *o;
struct ber_element *parent[_MAX_SEQ], **e;
bzero(parent, sizeof(struct ber_element *) * _MAX_SEQ);
va_start(ap, fmt);
while (*fmt) {
switch (*fmt++) {
case 'B':
ptr = va_arg(ap, void **);
len = va_arg(ap, size_t *);
if (ber_get_bitstring(ber, ptr, len) == -1)
goto fail;
ret++;
break;
case 'b':
d = va_arg(ap, int *);
if (ber_get_boolean(ber, d) == -1)
goto fail;
ret++;
break;
case 'e':
e = va_arg(ap, struct ber_element **);
*e = ber;
ret++;
continue;
case 'E':
i = va_arg(ap, long long *);
if (ber_get_enumerated(ber, i) == -1)
goto fail;
ret++;
break;
case 'i':
i = va_arg(ap, long long *);
if (ber_get_integer(ber, i) == -1)
goto fail;
ret++;
break;
case 'o':
o = va_arg(ap, struct ber_oid *);
if (ber_get_oid(ber, o) == -1)
goto fail;
ret++;
break;
case 'S':
ret++;
break;
case 's':
s = va_arg(ap, char **);
if (ber_get_string(ber, s) == -1)
goto fail;
ret++;
break;
case 't':
d = va_arg(ap, int *);
t = va_arg(ap, unsigned long *);
*d = ber->be_class;
*t = ber->be_type;
ret++;
continue;
case 'x':
ptr = va_arg(ap, void **);
len = va_arg(ap, size_t *);
if (ber_get_nstring(ber, ptr, len) == -1)
goto fail;
ret++;
break;
case '0':
if (ber->be_encoding != BER_TYPE_NULL)
goto fail;
ret++;
break;
case '.':
if (ber->be_encoding != BER_TYPE_EOC)
goto fail;
ret++;
break;
case '{':
case '(':
if (ber->be_encoding != BER_TYPE_SEQUENCE &&
ber->be_encoding != BER_TYPE_SET)
goto fail;
if (ber->be_sub == NULL || level >= _MAX_SEQ-1)
goto fail;
parent[++level] = ber;
ber = ber->be_sub;
ret++;
continue;
case '}':
case ')':
if (level < 0 || parent[level] == NULL)
goto fail;
ber = parent[level--];
ret++;
continue;
default:
goto fail;
}
if (ber->be_next == NULL)
continue;
ber = ber->be_next;
}
va_end(ap);
return (ret == n ? 0 : -1);
fail:
va_end(ap);
return (-1);
}
/*
* write ber elements to the socket
*
* params:
* ber holds the socket
* root fully populated element tree
*
* returns:
* >=0 number of bytes written
* -1 on failure and sets errno
*/
int
ber_write_elements(struct ber *ber, struct ber_element *root)
{
size_t len;
/* calculate length because only the definite form is required */
len = ber_calc_len(root);
DPRINTF("write ber element of %zd bytes length\n", len);
if (ber->br_wbuf != NULL && ber->br_wbuf + len > ber->br_wend) {
free(ber->br_wbuf);
ber->br_wbuf = NULL;
}
if (ber->br_wbuf == NULL) {
if ((ber->br_wbuf = malloc(len)) == NULL)
return -1;
ber->br_wend = ber->br_wbuf + len;
}
/* reset write pointer */
ber->br_wptr = ber->br_wbuf;
if (ber_dump_element(ber, root) == -1)
return -1;
/* XXX this should be moved to a different function */
if (ber->fd != -1)
return write(ber->fd, ber->br_wbuf, len);
return (len);
}
/*
* read ber elements from the socket
*
* params:
* ber holds the socket and lot more
* root if NULL, build up an element tree from what we receive on
* the wire. If not null, use the specified encoding for the
* elements received.
*
* returns:
* !=NULL, elements read and store in the ber_element tree
* NULL, type mismatch or read error
*/
struct ber_element *
ber_read_elements(struct ber *ber, struct ber_element *elm)
{
struct ber_element *root = elm;
if (root == NULL) {
if ((root = ber_get_element(0)) == NULL)
return NULL;
}
DPRINTF("read ber elements, root %p\n", root);
if (ber_read_element(ber, root) == -1) {
/* Cleanup if root was allocated by us */
if (elm == NULL)
ber_free_elements(root);
return NULL;
}
return root;
}
void
ber_free_elements(struct ber_element *root)
{
if (root->be_sub && (root->be_encoding == BER_TYPE_SEQUENCE ||
root->be_encoding == BER_TYPE_SET))
ber_free_elements(root->be_sub);
if (root->be_next)
ber_free_elements(root->be_next);
if (root->be_free && (root->be_encoding == BER_TYPE_OCTETSTRING ||
root->be_encoding == BER_TYPE_BITSTRING ||
root->be_encoding == BER_TYPE_OBJECT))
free(root->be_val);
free(root);
}
size_t
ber_calc_len(struct ber_element *root)
{
unsigned long t;
size_t s;
size_t size = 2; /* minimum 1 byte head and 1 byte size */
/* calculate the real length of a sequence or set */
if (root->be_sub && (root->be_encoding == BER_TYPE_SEQUENCE ||
root->be_encoding == BER_TYPE_SET))
root->be_len = ber_calc_len(root->be_sub);
/* fix header length for extended types */
if (root->be_type > BER_TYPE_SINGLE_MAX)
for (t = root->be_type; t > 0; t >>= 7)
size++;
if (root->be_len >= BER_TAG_MORE)
for (s = root->be_len; s > 0; s >>= 8)
size++;
/* calculate the length of the following elements */
if (root->be_next)
size += ber_calc_len(root->be_next);
/* This is an empty element, do not use a minimal size */
if (root->be_type == BER_TYPE_EOC && root->be_len == 0)
return (0);
return (root->be_len + size);
}
/*
* internal functions
*/
static int
ber_dump_element(struct ber *ber, struct ber_element *root)
{
unsigned long long l;
int i;
uint8_t u;
ber_dump_header(ber, root);
switch (root->be_encoding) {
case BER_TYPE_BOOLEAN:
case BER_TYPE_INTEGER:
case BER_TYPE_ENUMERATED:
l = (unsigned long long)root->be_numeric;
for (i = root->be_len; i > 0; i--) {
u = (l >> ((i - 1) * 8)) & 0xff;
ber_putc(ber, u);
}
break;
case BER_TYPE_BITSTRING:
return -1;
case BER_TYPE_OCTETSTRING:
case BER_TYPE_OBJECT:
ber_write(ber, root->be_val, root->be_len);
break;
case BER_TYPE_NULL: /* no payload */
case BER_TYPE_EOC:
break;
case BER_TYPE_SEQUENCE:
case BER_TYPE_SET:
if (root->be_sub && ber_dump_element(ber, root->be_sub) == -1)
return -1;
break;
}
if (root->be_next == NULL)
return 0;
return ber_dump_element(ber, root->be_next);
}
static void
ber_dump_header(struct ber *ber, struct ber_element *root)
{
u_char id = 0, t, buf[8];
unsigned long type;
size_t size;
/* class universal, type encoding depending on type value */
/* length encoding */
if (root->be_type <= BER_TYPE_SINGLE_MAX) {
id = root->be_type | (root->be_class << BER_CLASS_SHIFT);
if (root->be_encoding == BER_TYPE_SEQUENCE ||
root->be_encoding == BER_TYPE_SET)
id |= BER_TYPE_CONSTRUCTED;
ber_putc(ber, id);
} else {
id = BER_TAG_MASK | (root->be_class << BER_CLASS_SHIFT);
if (root->be_encoding == BER_TYPE_SEQUENCE ||
root->be_encoding == BER_TYPE_SET)
id |= BER_TYPE_CONSTRUCTED;
ber_putc(ber, id);
for (t = 0, type = root->be_type; type > 0; type >>= 7)
buf[t++] = type & ~BER_TAG_MORE;
while (t-- > 0) {
if (t > 0)
buf[t] |= BER_TAG_MORE;
ber_putc(ber, buf[t]);
}
}
if (root->be_len < BER_TAG_MORE) {
/* short form */
ber_putc(ber, root->be_len);
} else {
for (t = 0, size = root->be_len; size > 0; size >>= 8)
buf[t++] = size & 0xff;
ber_putc(ber, t | BER_TAG_MORE);
while (t > 0)
ber_putc(ber, buf[--t]);
}
}
static void
ber_putc(struct ber *ber, u_char c)
{
if (ber->br_wptr + 1 <= ber->br_wend)
*ber->br_wptr = c;
ber->br_wptr++;
}
static void
ber_write(struct ber *ber, void *buf, size_t len)
{
if (ber->br_wptr + len <= ber->br_wend)
bcopy(buf, ber->br_wptr, len);
ber->br_wptr += len;
}
/*
* extract a BER encoded tag. There are two types, a short and long form.
*/
static ssize_t
get_id(struct ber *b, unsigned long *tag, int *class, int *cstruct)
{
u_char u;
size_t i = 0;
unsigned long t = 0;
if (ber_getc(b, &u) == -1)
return -1;
*class = (u >> BER_CLASS_SHIFT) & BER_CLASS_MASK;
*cstruct = (u & BER_TYPE_CONSTRUCTED) == BER_TYPE_CONSTRUCTED;
if ((u & BER_TAG_MASK) != BER_TAG_MASK) {
*tag = u & BER_TAG_MASK;
return 1;
}
do {
if (ber_getc(b, &u) == -1)
return -1;
t = (t << 7) | (u & ~BER_TAG_MORE);
i++;
} while (u & BER_TAG_MORE);
if (i > sizeof(unsigned long)) {
errno = ERANGE;
return -1;
}
*tag = t;
return i + 1;
}
/*
* extract length of a ber object -- if length is unknown an error is returned.
*/
static ssize_t
get_len(struct ber *b, ssize_t *len)
{
u_char u, n;
ssize_t s, r;
if (ber_getc(b, &u) == -1)
return -1;
if ((u & BER_TAG_MORE) == 0) {
/* short form */
*len = u;
return 1;
}
n = u & ~BER_TAG_MORE;
if (sizeof(ssize_t) < n) {
errno = ERANGE;
return -1;
}
r = n + 1;
for (s = 0; n > 0; n--) {
if (ber_getc(b, &u) == -1)
return -1;
s = (s << 8) | u;
}
if (s < 0) {
/* overflow */
errno = ERANGE;
return -1;
}
if (s == 0) {
/* invalid encoding */
errno = EINVAL;
return -1;
}
*len = s;
return r;
}
static ssize_t
ber_read_element(struct ber *ber, struct ber_element *elm)
{
long long val = 0;
struct ber_element *next;
unsigned long type;
int i, class, cstruct;
ssize_t len, r, totlen = 0;
u_char c;
if ((r = get_id(ber, &type, &class, &cstruct)) == -1)
return -1;
DPRINTF("ber read got class %d type %lu, %s\n",
class, type, cstruct ? "constructive" : "primitive");
totlen += r;
if ((r = get_len(ber, &len)) == -1)
return -1;
DPRINTF("ber read element size %zd\n", len);
totlen += r + len;
/*
* If using an external buffer and the total size of the element
* is larger, then the external buffer don't bother to continue.
*/
if (ber->fd == -1 && len > ber->br_rend - ber->br_rptr) {
errno = ECANCELED;
return -1;
}
elm->be_type = type;
elm->be_len = len;
elm->be_class = class;
if (elm->be_encoding == 0) {
/* try to figure out the encoding via class, type and cstruct */
if (cstruct)
elm->be_encoding = BER_TYPE_SEQUENCE;
else if (class == BER_CLASS_UNIVERSAL)
elm->be_encoding = type;
else if (ber->br_application != NULL) {
/*
* Ask the application to map the encoding to a
* universal type. For example, a SMI IpAddress
* type is defined as 4 byte OCTET STRING.
*/
elm->be_encoding = (*ber->br_application)(elm);
} else
/* last resort option */
elm->be_encoding = BER_TYPE_NULL;
}
switch (elm->be_encoding) {
case BER_TYPE_EOC: /* End-Of-Content */
break;
case BER_TYPE_BOOLEAN:
case BER_TYPE_INTEGER:
case BER_TYPE_ENUMERATED:
if (len > (ssize_t)sizeof(long long))
return -1;
for (i = 0; i < len; i++) {
if (ber_getc(ber, &c) != 1)
return -1;
val <<= 8;
val |= c;
}
/* sign extend if MSB is set */
if (val >> ((i - 1) * 8) & 0x80)
val |= ULLONG_MAX << (i * 8);
elm->be_numeric = val;
break;
case BER_TYPE_BITSTRING:
elm->be_val = malloc(len);
if (elm->be_val == NULL)
return -1;
elm->be_free = 1;
elm->be_len = len;
ber_read(ber, elm->be_val, len);
break;
case BER_TYPE_OCTETSTRING:
case BER_TYPE_OBJECT:
elm->be_val = malloc(len + 1);
if (elm->be_val == NULL)
return -1;
elm->be_free = 1;
elm->be_len = len;
ber_read(ber, elm->be_val, len);
((u_char *)elm->be_val)[len] = '\0';
break;
case BER_TYPE_NULL: /* no payload */
if (len != 0)
return -1;
break;
case BER_TYPE_SEQUENCE:
case BER_TYPE_SET:
if (elm->be_sub == NULL) {
if ((elm->be_sub = ber_get_element(0)) == NULL)
return -1;
}
next = elm->be_sub;
while (len > 0) {
r = ber_read_element(ber, next);
if (r == -1)
return -1;
len -= r;
if (len > 0 && next->be_next == NULL) {
if ((next->be_next = ber_get_element(0)) ==
NULL)
return -1;
}
next = next->be_next;
}
break;
}
return totlen;
}
static ssize_t
ber_readbuf(struct ber *b, void *buf, size_t nbytes)
{
size_t sz;
size_t len;
if (b->br_rbuf == NULL)
return -1;
sz = b->br_rend - b->br_rptr;
len = MINIMUM(nbytes, sz);
if (len == 0) {
errno = ECANCELED;
return (-1); /* end of buffer and parser wants more data */
}
bcopy(b->br_rptr, buf, len);
b->br_rptr += len;
return (len);
}
void
ber_set_readbuf(struct ber *b, void *buf, size_t len)
{
b->br_rbuf = b->br_rptr = buf;
b->br_rend = (u_int8_t *)buf + len;
}
ssize_t
ber_get_writebuf(struct ber *b, void **buf)
{
if (b->br_wbuf == NULL)
return -1;
*buf = b->br_wbuf;
return (b->br_wend - b->br_wbuf);
}
void
ber_set_application(struct ber *b, unsigned long (*cb)(struct ber_element *))
{
b->br_application = cb;
}
void
ber_free(struct ber *b)
{
free(b->br_wbuf);
}
static ssize_t
ber_getc(struct ber *b, u_char *c)
{
ssize_t r;
/*
* XXX calling read here is wrong in many ways. The most obvious one
* being that we will block till data arrives.
* But for now it is _good enough_ *gulp*
*/
if (b->fd == -1)
r = ber_readbuf(b, c, 1);
else
r = read(b->fd, c, 1);
return r;
}
static ssize_t
ber_read(struct ber *ber, void *buf, size_t len)
{
u_char *b = buf;
ssize_t r, remain = len;
/*
* XXX calling read here is wrong in many ways. The most obvious one
* being that we will block till data arrives.
* But for now it is _good enough_ *gulp*
*/
while (remain > 0) {
if (ber->fd == -1)
r = ber_readbuf(ber, b, remain);
else
r = read(ber->fd, b, remain);
if (r == -1) {
if (errno == EINTR || errno == EAGAIN)
continue;
return -1;
}
if (r == 0)
return (b - (u_char *)buf);
b += r;
remain -= r;
}
return (b - (u_char *)buf);
}