GNU Libtasn1 3.5 asn1_get_bit_der function out-of-bounds access

2014.06.06
Credit: Nikos
Risk: High
Local: No
Remote: Yes
CWE: CWE-189


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data. diff --git a/lib/decoding.c b/lib/decoding.c index 7e0ed05..894be79 100644 --- a/lib/decoding.c +++ b/lib/decoding.c @@ -249,7 +249,7 @@ asn1_get_octet_der (const unsigned char *der, int der_len, int *ret_len, unsigned char *str, int str_size, int *str_len) { - int len_len; + int len_len = 0; if (der_len <= 0) return ASN1_GENERIC_ERROR; @@ -371,7 +371,7 @@ asn1_get_bit_der (const unsigned char *der, int der_len, int *ret_len, unsigned char *str, int str_size, int *bit_len) { - int len_len, len_byte; + int len_len = 0, len_byte; if (der_len <= 0) return ASN1_GENERIC_ERROR; @@ -381,6 +381,9 @@ asn1_get_bit_der (const unsigned char *der, int der_len, *ret_len = len_byte + len_len + 1; *bit_len = len_byte * 8 - der[len_len]; + + if (*bit_len <= 0) + return ASN1_DER_ERROR; if (str_size >= len_byte) memcpy (str, der + len_len + 1, len_byte);

References:

http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf13e342ee60bc23b21b97b11923f


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top