ASN.1 code passes uninitialized values around

	* asn1_get.c (asn1_get_tag_indef): Stomp on asn1class,
	construction, retlen, and indef, even if we've hit the end of the
	buffer, to avoid passing uninitialized values around.

	* asn1_k_decode.c: Reformat somewhat and add comments to demystify
	things a little.
	(opt_field): Fix to explicitly check for end of subbuf before
	verifying the pre-fetched tag, which may have been stomped on by
	asn1_get_tag_indef() encountering end-of-buffer.

	* krb5_decode.c (opt_field, opt_lenfield): Fix to explicitly check
	for end of subbuf before verifying the pre-fetched tag, which may
	have been stomped on by asn1_get_tag_indef() encountering
	end-of-buffer.

ticket: new
target_version: 1.3

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14913 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 10 insertions, 2 deletions

diff --git a/src/lib/krb5/asn.1/asn1_get.c b/src/lib/krb5/asn.1/asn1_get.c
index 47dd283..e90ac6b 100644
--- a/src/lib/krb5/asn.1/asn1_get.c
+++ b/src/lib/krb5/asn.1/asn1_get.c
@@ -35,8 +35,16 @@ asn1_get_tag_indef(asn1buf *buf, asn1_class *asn1class,
   
   if (buf == NULL || buf->base == NULL ||
       buf->bound - buf->next + 1 <= 0) {
-      *tagnum = ASN1_TAGNUM_CEILING;
-      return 0;
+    *tagnum = ASN1_TAGNUM_CEILING; /* emphatically not an EOC tag */
+    if (asn1class != NULL)
+      *asn1class = UNIVERSAL;
+    if (construction != NULL)
+      *construction = PRIMITIVE;
+    if (retlen != NULL)
+      *retlen = 0;
+    if (indef != NULL)
+      *indef = 0;
+    return 0;
   }
   retval = asn1_get_id(buf,asn1class,construction,tagnum);
   if(retval) return retval;