On Fri, Feb 20, 2015, Nathaniel McCallum wrote: > I'd like to use ASN1_item_d2i_bio() (or something similar) to parse an > incoming message. However, given that types like ASN1_OCTET_STRING > have (essentially) unbounded length, how do I prevent an attacker from > DOS'ing via OOM? > > Is there some way to set a max packet size? > No there isn't but if the input is in DER form you can peek the first few bytes and get the tag+length fields to determine the size of the structure. If the input uses indefinite length encoding that isn't possible however. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
