Buffer Overflow in gnutls_pk.c/_gnutls_pkcs1_rsa_decrypt

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jan 9 23:50:44 CET 2012

On 01/09/2012 10:28 PM, Michal Ambroz wrote:

> Hello,
> As a result of bug in openvas-libraries I hit buffer overflow
> condition in gnutls. This code in gnutls (gnutls_pk.c:220) will
> overwrite the stack because the function trusts that the declared
> size of the pk_params.params will be bigger than the size of
> parameters from the configured pkcs11 key:

 I would be curious on how you reached the buffer overflow. This is an
internal function and its input is controlled by its callers.

> 2) log an error and limit the for cycle with the min(params_len,
> sizeof(pk_params.params) )

> to ensure that the buffer will not get overwritten with broken or
> intentionally crafted data.

Although having a sanity check there is useful, how could intentionally 
crafted data reach that point?


More information about the Gnutls-devel mailing list