1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
From 28daf52d3502dbe55a229b4a1a0ad9a1a4589bd7 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Thu, 3 Oct 2013
Subject: CVE-2012-1569 [GNUTLS-SA-2012-3]
asn1_get_length_der() in decoding.c in GNU Libtasn1 before 2.12
does not properly handle certain large length values. This can be
exploited by attackers to cause a DoS or other impacts via a
crafted ASN.1 structure.
Fix adapted for use with libtasn1 embedded in GnuTLS 2.10.5.
Relevant upstream patch:
------------------------
http://article.gmane.org/gmane.comp.gnu.libtasn1.general/54
---
decoding.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription)
* Extract a length field from DER data.
*
* Returns: Return the decoded length value, or -1 on indefinite
- * length, or -2 when the value was too big.
+ * length, or -2 when the value was too big to fit in a int, or -4
+ * when the decoded length value plus @len would exceed @der_len.
**/
signed long
asn1_get_length_der (const unsigned char *der, int der_len, int *len)
{
- unsigned long ans;
+ int ans;
int k, punt;
*len = 0;
@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
ans = 0;
while (punt <= k && punt < der_len)
{
- unsigned long last = ans;
+ int last = ans;
ans = ans * 256 + der[punt++];
if (ans < last)
@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
}
else
{ /* indefinite length method */
- ans = -1;
+ *len = punt;
+ return -1;
}
*len = punt;
+ if (ans + *len < ans || ans + *len > der_len)
+ return -4;
return ans;
}
}
|