[gnutls-devel] libtasn1 | Out-of-bound access in ETYPE_OK (#32)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Feb 4 10:42:41 CET 2021

David Trabish created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/32

## Description of problem:
The bound check in ETYPE_OK may lead to out-of-bound access.

## Version of libtasn1 used:

## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)

## How reproducible:
#include <stdlib.h>
#include <stdio.h>
#include <libtasn1.h>

int main(int argc, char *argv[]) {
    unsigned int etype = 38;

    unsigned int str_len = 10;
    unsigned char *str = malloc(str_len);

    unsigned int tl_len = 10;
    unsigned char *tl = malloc(tl_len);

    asn1_encode_simple_der(etype, str, str_len, tl, &tl_len);
    return 0;

Steps to Reproduce:
* Compile the program with `-fsanitize=address,leak,undefined`
* Run

## Actual results:
==23616==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000042e208 at pc 0x000000402854 bp 0x7fffe0995170 sp 0x7fffe0995160
READ of size 8 at 0x00000042e208 thread T0
    #0 0x402853 in asn1_encode_simple_der ../../libtasn1-4.16.0/lib/coding.c:218

## Expected results:
The macro should do this check instead:
(etype) < _asn1_tags_size

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/32
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210204/92085c0f/attachment.html>

More information about the Gnutls-devel mailing list