Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id SAA08341; Wed, 21 Apr 2004 18:48:27 -0400 (EDT) Received: from pch.mit.edu (localhost [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3LMmRos009033 for ; Wed, 21 Apr 2004 18:48:27 -0400 (EDT) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3LMOmos008363 for ; Wed, 21 Apr 2004 18:24:48 -0400 (EDT) Received: from postman4.mx.aol.com (postman4.mx.aol.com [205.188.157.131]) i3LMOlHC021514 for ; Wed, 21 Apr 2004 18:24:47 -0400 (EDT) Received: from dragonz.office.aol.com (dragonz.office.aol.com [10.2.109.4]) by postman4.mx.aol.com (8.12.9/8.9.3) with ESMTP id i3LMOkTV008172 for ; Wed, 21 Apr 2004 18:24:47 -0400 (EDT) Received: (from zhang@localhost) by dragonz.office.aol.com (8.7.1/8.7.1) id SAA07060 for krb5-bugs@mit.edu; Wed, 21 Apr 2004 18:24:44 -0400 (EDT) From: Zhihong Zhang Message-Id: <200404212224.SAA07060@dragonz.office.aol.com> To: krb5-bugs@mit.edu Date: Wed, 21 Apr 2004 18:24:44 EDT In-Reply-To: from "To:krb5-bugs@mit.edu" at Apr 21, 104 11:14 am X-Mailer: Elm [revision: 212.4] X-Mailman-Approved-At: Wed, 21 Apr 2004 18:48:24 -0400 Subject: DER Bug X-Beenthere: krb5-bugs-incoming@mit.edu X-Mailman-Version: 2.1 Precedence: list Sender: krb5-bugs-incoming-bounces@mit.edu Errors-To: krb5-bugs-incoming-bounces@mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 492 I found this bug in MIT code. If you have the same code, you should fix it. This breaks any tag bigger than 30. Zhihong > > Found a bug in the DER decoder of KRB5-1.28. > > This loop in asn1_get.c is wrong, > > do{ > retval = asn1buf_remove_octet(buf,&o); > if(retval) return retval; > tn = (tn<<7) + (asn1_tagnum)(o&0x7F); > }while(tn&0x80); > > It should be "while(o&0x80)". > > The effect is that it can't decode any tags bigger than 30. > > Zhihong >