Bug: Off-by-one in asn1_object_identifier_from_octets() causes stack buffer overflow

### Bug: Off-by-one in asn1_object_identifier_from_octets() causes stack buffer overflow

**Location:** `src/asn1.c`, around line 1044

**Description:**

The bounds check in `asn1_object_identifier_from_octets()` uses `>` instead of `>=`. 
When `nodes_cnt` equals 32 (ASN1_OID_MAX_NODES), the check `32 > 32` evaluates to FALSE, 
allowing a write to `nodes[32]` which is out-of-bounds.

**Vulnerable code:**
```c
if (*nodes_cnt > ASN1_OID_MAX_NODES) {  // BUG: should be >=
    error_print();
    return -1;
}
```

**Reproduction:**
Build with AddressSanitizer and parse a certificate containing an OID with 33+ arcs.
```
==...==ERROR: AddressSanitizer: stack-buffer-overflow on address ... at pc ... bp ... sp ...
WRITE of size 4 at ... thread T0
    #0 ... in asn1_object_identifier_from_octets asn1.c:1053
    #1 ... in asn1_object_identifier_from_der_ex asn1.c:1128
    ...
```

**Impact:**
- Crash (DoS) on systems with stack protection
- Potentially more severe on embedded systems without stack canary

**Suggested fix:**
```diff
- if (*nodes_cnt > ASN1_OID_MAX_NODES) {
+ if (*nodes_cnt >= ASN1_OID_MAX_NODES) {
```

**Credit:**
RedShift Analyzer @ G.O.S.S.I.P

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: Off-by-one in asn1_object_identifier_from_octets() causes stack buffer overflow #1868