Buffer Overflow in gnutls_pk.c/_gnutls_pkcs1_rsa_decrypt
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Jan 9 23:50:44 CET 2012
On 01/09/2012 10:28 PM, Michal Ambroz wrote:
> Hello,
> As a result of bug in openvas-libraries I hit buffer overflow
> condition in gnutls. This code in gnutls (gnutls_pk.c:220) will
> overwrite the stack because the function trusts that the declared
> size of the pk_params.params will be bigger than the size of
> parameters from the configured pkcs11 key:
Hello,
I would be curious on how you reached the buffer overflow. This is an
internal function and its input is controlled by its callers.
> 2) log an error and limit the for cycle with the min(params_len,
> sizeof(pk_params.params) )
> to ensure that the buffer will not get overwritten with broken or
> intentionally crafted data.
Although having a sanity check there is useful, how could intentionally
crafted data reach that point?
regards,
Nikos
More information about the Gnutls-devel
mailing list