[gnutls-devel] libtasn1 | Endless loop in asn1_create_element(), ending in OOM (#22)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Aug 1 13:16:05 CEST 2019
Tim Rühsen created an issue:
The following call sequence eats up memory while running in an (endless) loop:
```
if (asn1_parser2tree("infile", &definitions, errorDescription) == ASN1_SUCCESS)
asn1_create_element(definitions, "TEST_TREE.Koko", &asn1_element);
```
with `infile` being
```
TEST_TREE { }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
Koko ::= SEQUENCE {
x ?L
}
END
```
Easiest way to reproduce:
- git checkout tmp-fuzzing
- ./bootstrap && ./configure && make && cd fuzz
- make check TESTS=libtasn1_encoding_fuzzer
You have to CTRL-C to stop it. It hangs in `_asn1_expand_identifier()`, each loop iteration running through the code block of `if (type_field (p->type) == ASN1_ETYPE_IDENTIFIER)`.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/22
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190801/bf41b864/attachment.html>
More information about the Gnutls-devel
mailing list