Buffer Overflow in gnutls_pk.c/_gnutls_pkcs1_rsa_decrypt

Michal Ambroz rebus at seznam.cz
Mon Jan 9 22:28:16 CET 2012


As a result of bug in openvas-libraries I hit buffer overflow condition in gnutls.

This code in gnutls (gnutls_pk.c:220) will overwrite the stack because the
function trusts that the declared size of the pk_params.params will be bigger
than the size of parameters from the configured pkcs11 key:

209 _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
210                            const gnutls_datum_t * ciphertext,
211                            bigint_t * params, unsigned params_len,
212                            unsigned btype)
213 {
214   unsigned int k, i;
215   int ret;
216   size_t esize, mod_bits;
217   gnutls_pk_params_st pk_params;
219   for (i = 0; i < params_len; i++)
220     pk_params.params[i] = params[i];
221   pk_params.params_nr = params_len;

On the GnuTLS side I would recommed to either:
1) log an error and exit gracefully if calling params_len is greater than the struct size
2) log an error and limit the for cycle with the min(params_len, sizeof(pk_params.params) ) 
to ensure that the buffer will not get overwritten with broken or intentionally crafted data.

Best regards
Michal Ambroz

More information about the Gnutls-devel mailing list