[gnutls-devel] libtasn1 | function "asn1_der_decoding" potentially causes infinite memory allocation (#24)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Sep 12 10:50:45 CEST 2019 


carblue created an issue: https://gitlab.com/gnutls/libtasn1/issues/24



## Description of problem:
function "asn1_der_decoding" causes infinite memory allocation when structure and input DER data are incongruent. I'm referring here to PKCS#15 TokenInfo from ASN.1 module e.g. at https://github.com/carblue/tasn1/blob/master/PKCS15.asn. Excerpt:
TokenInfo ::= SEQUENCE {
    version		INTEGER { v1(0), v2(1) }, -- (v1,...),
    serialNumber	OCTET STRING,
    manufacturerID 	Label OPTIONAL,
    label 		[0] Label OPTIONAL,
    tokenflags 		TokenFlags,
...more fields

It happened, that my smart card's PKCS#15 EF.TokenInfo file 0x5032 got corrupted (i.e. not PKCS#15 compliant content any more: "tokenflags" were misplaced before "manufacturerID" instead correctly behind "label"), thus forming incrongruent input DER data.

## Version of libtasn1 used:
4.13

## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)
Ubuntu (package libtasn1-6, installs Version 4.13-2)

## How reproducible:

Steps to Reproduce: (the following is D language code, slightly different from C; there is no problem referring to D code as such, it works well with the "congruent buf DER input data"):

asn1_node  PKCS15;
string errorDescription;
ubyte[] buf = new ubyte[length_of_input_data_in_bytes; 65 for my example DER input data]; 
 * 1. asn1_parser2tree ("PKCS15.asn", &PKCS15, errorDescription);
 * 2. asn1_create_element(PKCS15, "PKCS15.TokenInfoChoice", &structure);
 * 3. asn1_der_decoding(&structure, buf, errorDescription);

Example for congruent buf DER input data: 303F0201010406C0C6406881C70C1A416476616E63656420436172642053797374656D73204C74642E801243544D36345F43304336343036383831433703020420

Example for incongruent buf DER input data:
3032020101040400000000030204200C1A416476616E63656420436172642053797374656D73204C74642EA0070C05626162616E36343036383831433703020420

## Actual results:
Memory allocation failed, because I "jailed" memory usage with ulimit -d -m -v : 5000000; otherwise it would crash my OS system by infinitely allocating memory !

## Expected results:
Successful DER data decoding into structure based on the provided .asn module file

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/24
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190912/2068661d/attachment.html>

More information about the Gnutls-devel mailing list