fix(ttlv): panic if struct tag int values are out of bound

phsym · phsym · commit 310974dbb49b · 2025-04-30T11:37:14.000+02:00
Fixes https://github.com/ovh/kmip-go/security/code-scanning/3 Signed-off-by: Pierre-Henri Symoneaux <pierre-henri.symoneaux@ovhcloud.com>
diff --git a/ttlv/reflect.go b/ttlv/reflect.go
@@ -71,10 +71,16 @@ func getFieldTag(fldT reflect.StructField, tagVal string) int {
 	}
 
 	if strings.HasPrefix(tagVal, "0x") {
-		n, err := strconv.ParseInt(tagVal[2:], 16, 64)
+		n, err := strconv.ParseInt(tagVal[2:], 16, 0)
 		if err != nil {
 			panic(err)
 		}
+		if n <= 0 {
+			panic("the tag must be strictly positive")
+		}
+		if n > 0xFFFFFF {
+			panic("the tag cannot be bigger than 3 bytes")
+		}
 		return int(n)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -71,10 +71,16 @@ func getFieldTag(fldT reflect.StructField, tagVal string) int {`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`if strings.HasPrefix(tagVal, "0x") {`
`74`		`- n, err := strconv.ParseInt(tagVal[2:], 16, 64)`
	`74`	`+ n, err := strconv.ParseInt(tagVal[2:], 16, 0)`
`75`	`75`	`if err != nil {`
`76`	`76`	`panic(err)`
`77`	`77`	`}`
	`78`	`+ if n <= 0 {`
	`79`	`+ panic("the tag must be strictly positive")`
	`80`	`+ }`
	`81`	`+ if n > 0xFFFFFF {`
	`82`	`+ panic("the tag cannot be bigger than 3 bytes")`
	`83`	`+ }`
`78`	`84`	`return int(n)`
`79`	`85`	`}`
`80`	`86`