Buffer Overflow in gnutls_pk.c/_gnutls_pkcs1_rsa_decrypt
Michal Ambroz
rebus at seznam.cz
Mon Jan 9 22:28:16 CET 2012
Hello,
As a result of bug in openvas-libraries I hit buffer overflow condition in gnutls.
This code in gnutls (gnutls_pk.c:220) will overwrite the stack because the
function trusts that the declared size of the pk_params.params will be bigger
than the size of parameters from the configured pkcs11 key:
209 _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
210 const gnutls_datum_t * ciphertext,
211 bigint_t * params, unsigned params_len,
212 unsigned btype)
213 {
214 unsigned int k, i;
215 int ret;
216 size_t esize, mod_bits;
217 gnutls_pk_params_st pk_params;
218
219 for (i = 0; i < params_len; i++)
220 pk_params.params[i] = params[i];
221 pk_params.params_nr = params_len;
222
On the GnuTLS side I would recommed to either:
1) log an error and exit gracefully if calling params_len is greater than the struct size
2) log an error and limit the for cycle with the min(params_len, sizeof(pk_params.params) )
to ensure that the buffer will not get overwritten with broken or intentionally crafted data.
Best regards
Michal Ambroz
More information about the Gnutls-devel
mailing list