[gnutls-devel] libtasn1 | Endless loop in asn1_create_element(), ending in OOM (#22)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Aug 1 13:16:05 CEST 2019

Tim Rühsen created an issue:

  The following call sequence eats up memory while running in an (endless) loop:
if (asn1_parser2tree("infile", &definitions, errorDescription) == ASN1_SUCCESS)
  asn1_create_element(definitions, "TEST_TREE.Koko", &asn1_element);

with `infile` being
Koko ::= SEQUENCE {
  x ?L

Easiest way to reproduce:
- git checkout tmp-fuzzing
- ./bootstrap && ./configure && make && cd fuzz
- make check TESTS=libtasn1_encoding_fuzzer

You have to CTRL-C to stop it. It hangs in `_asn1_expand_identifier()`, each loop iteration running through the code block of `if (type_field (p->type) == ASN1_ETYPE_IDENTIFIER)`.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/22
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190801/bf41b864/attachment.html>

More information about the Gnutls-devel mailing list