[gnutls-devel] libtasn1 | Out-of-bound access in ETYPE_OK (#32)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Feb 4 10:42:41 CET 2021
David Trabish created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/32
## Description of problem:
The bound check in ETYPE_OK may lead to out-of-bound access.
## Version of libtasn1 used:
4.16.0
## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
```
#include <stdlib.h>
#include <stdio.h>
#include <libtasn1.h>
int main(int argc, char *argv[]) {
unsigned int etype = 38;
unsigned int str_len = 10;
unsigned char *str = malloc(str_len);
unsigned int tl_len = 10;
unsigned char *tl = malloc(tl_len);
asn1_encode_simple_der(etype, str, str_len, tl, &tl_len);
return 0;
}
```
Steps to Reproduce:
* Compile the program with `-fsanitize=address,leak,undefined`
* Run
## Actual results:
```
==23616==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000042e208 at pc 0x000000402854 bp 0x7fffe0995170 sp 0x7fffe0995160
READ of size 8 at 0x00000042e208 thread T0
#0 0x402853 in asn1_encode_simple_der ../../libtasn1-4.16.0/lib/coding.c:218
```
## Expected results:
The macro should do this check instead:
```
(etype) < _asn1_tags_size
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/32
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210204/92085c0f/attachment.html>
More information about the Gnutls-devel
mailing list