Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test for issue #507 always passes #561

Open
jamuir opened this issue Feb 14, 2021 · 2 comments
Open

test for issue #507 always passes #561

jamuir opened this issue Feb 14, 2021 · 2 comments

Comments

@jamuir
Copy link
Contributor

jamuir commented Feb 14, 2021

Description

There is a test vector for issue #507 in tests/der_test.c. However, if you revert the fix for #507, the test still passes (so the test in its current form doesn't really tell us much).

Steps to Reproduce

One way is to reset to d2027d6, revert 25c26a3 and then run the tests.

Another way is to revert the fix for #507 manually:

diff --git a/src/pk/asn1/der/utf8/der_decode_utf8_string.c b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
index 93a5e5ed..c2b6bb6b 100644
--- a/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+++ b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
@@ -77,7 +77,7 @@ int der_decode_utf8_string(const unsigned char *in,  unsigned long inlen,
       for (z = 0; (tmp & 0x80) && (z <= 4); z++, tmp = (tmp << 1) & 0xFF);
 
       /* z should be in {0,2,3,4} */
-      if (z == 1 || z > 4) {
+      if (z > 4) {
          return CRYPT_INVALID_PACKET;
       }
 
@@ -85,7 +85,7 @@ int der_decode_utf8_string(const unsigned char *in,  unsigned long inlen,
       tmp >>= z;
 
       /* now update z so it equals the number of additional bytes to read */
-      if (z > 0) { --z; }
+      if (z > 1) { --z; }
 
       if (x + z > inlen) {
          return CRYPT_INVALID_PACKET;

To run the der test, I do this:

CFLAGS="-DUSE_LTM -DLTM_DESC -I../libtommath" EXTRALIBS="../libtommath/libtommath.a" make test && ./test der
@jamuir
Copy link
Contributor Author

jamuir commented Feb 14, 2021

The test vector for #507 is expected to cause a failure (i.e. fail is good).

The reason it still fails when the fix is reverted/removed is because the ASN1 parser encounters invalid data when it reads beyond the test vector (typically it will read a byte that is not a valid ASN1 type id).

@jamuir
Copy link
Contributor Author

jamuir commented Feb 14, 2021
edited
Loading

I think the primary vulnerability uncovered in #507 is not in utf-8 decoding; it is the underflow of the unsigned computation "*inlen -= len;" inside src/pk/asn1/der/sequence/der_decode_sequence_flexi.c.

There should be an underflow check added inside der_decode_sequence_flexi.c. I have a change ready that does that, but we still need a good test for #507. This is why I opened the current issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jamuir