Commit 6ccf7437 authored by Lev Walkin's avatar Lev Walkin

[unber] fix buffer overrun in the BER introspection and debugging tool (unber)

parent ccfaf2ab
...@@ -38,6 +38,7 @@ stamp-h* ...@@ -38,6 +38,7 @@ stamp-h*
# /asn1c-tools # /asn1c-tools
/asn1-tools/enber/enber /asn1-tools/enber/enber
/asn1-tools/unber/unber /asn1-tools/unber/unber
/asn1-tools/unber/check_unber
# /skeletons # /skeletons
/skeletons/check-* /skeletons/check-*
......
...@@ -6,6 +6,7 @@ Bi-Ruei, Chiu <biruei.chiu@gmail.com> ...@@ -6,6 +6,7 @@ Bi-Ruei, Chiu <biruei.chiu@gmail.com>
Daniele Varrazzo <daniele.varrazzo@gmail.com> Daniele Varrazzo <daniele.varrazzo@gmail.com>
Denis Filatov (DanyaFilatov @ github) Denis Filatov (DanyaFilatov @ github)
daa @ github daa @ github
Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
Erika Thorsen (akire @ github) Erika Thorsen (akire @ github)
gareins @ github gareins @ github
johvik @ github johvik @ github
......
...@@ -24,18 +24,22 @@ ...@@ -24,18 +24,22 @@
* uper_encode() API got new argument (breaks API compatibility). * uper_encode() API got new argument (breaks API compatibility).
* asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs. * asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs.
FIXES: FIXES IN COMPILER-GENERATED OUTPUT:
* CVE-2017-12966 verified not present. * Fix incomplete (failed) CHOICE XER decoding memory leak.
* Fix incomplete (failed) CHOICE XER decoding memory leak. (Severity: medium; Security impact: medium)
(Severity: medium; Security impact: medium) * Fix REAL type overwrite conversion memory leak.
* Fix REAL type overwrite conversion memory leak. (Severity: low; Security impact: medium)
(Severity: low; Security impact: medium) * Fix UPER string decoding constrained only by lower bound > 0
* Fix UPER string decoding constrained only by lower bound > 0 (Severity: low; Security impact: none)
(Severity: low; Security impact: none) * Fix UPER decoding of large [bit-]strings of size a multiple of 16K
* Fix UPER decoding of large [bit-]strings of size a multiple of 16K (Severity: low; Security impact: none)
(Severity: low; Security impact: none) * Fix XER decoder crash on maliciously constructed ENUMERATED input.
* Fix XER decoder crash on maliciously constructed ENUMERATED input. (Severity: medium; Security impact: medium)
(Severity: medium; Security impact: medium)
FIXES IN TOOLING:
* CVE-2017-12966 verified not present.
* Fix `unber` buffer overrun. Reported by Eric Sesterhenn.
(Severity: low; Security impact: high)
0.9.28: 2017-03-26 0.9.28: 2017-03-26
* PER decoding: avoid memory leak on error. By github.com/simo5 * PER decoding: avoid memory leak on error. By github.com/simo5
......
...@@ -11,7 +11,21 @@ noinst_LTLIBRARIES = libasn1-unber-tool.la ...@@ -11,7 +11,21 @@ noinst_LTLIBRARIES = libasn1-unber-tool.la
libasn1_unber_tool_la_SOURCES = \ libasn1_unber_tool_la_SOURCES = \
libasn1_unber_tool.c libasn1_unber_tool.h libasn1_unber_tool.c libasn1_unber_tool.h
bin_PROGRAMS = unber
unber_LDADD = libasn1-unber-tool.la \ unber_LDADD = libasn1-unber-tool.la \
$(top_builddir)/libasn1common/libasn1common.la $(top_builddir)/libasn1common/libasn1common.la
bin_PROGRAMS = unber check_PROGRAMS = check_unber
check_unber_CFLAGS = $(TESTSUITE_CFLAGS) $(LIBFUZZER_CFLAGS)
check_unber_LDADD = libasn1-unber-tool.la \
$(top_builddir)/libasn1common/libasn1common.la
dist_check_SCRIPTS=check_unber.sh
# This jump through the shell is needed to run ./check_unber binary with
# proper fuzzing options.
TESTS_ENVIRONMENT= \
ASAN_ENV_FLAGS="@ASAN_ENV_FLAGS@" \
builddir=${builddir}
TESTS= check_unber.sh
#include "asn1_common.h"
#include "libasn1_unber_tool.h"
// An abstraction for getting data from the in-memory buffer.
struct memory_buffer_stream {
input_stream_t istream;
const uint8_t *data;
size_t size;
size_t offset;
};
static int memory_buffer_stream_nextChar(input_stream_t *ibs) {
struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;
if(bs->offset < bs->size) {
return bs->data[bs->offset++];
} else {
return -1;
}
}
static off_t memory_buffer_stream_bytesRead(input_stream_t *ibs) {
struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;
return (off_t)bs->offset;
}
static int
ignore_vprintf(output_stream_t *os, const char *fmt, va_list ap) {
(void)os;
(void)fmt;
(void)ap;
// Ignore all output.
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
// Read from a memory buffer.
struct memory_buffer_stream mbs;
mbs.istream.nextChar = memory_buffer_stream_nextChar;
mbs.istream.bytesRead = memory_buffer_stream_bytesRead;
mbs.data = Data;
mbs.size = Size;
mbs.offset = 0;
// Do not print anywhere.
struct output_stream nullstream;
nullstream.vprintf = ignore_vprintf;
nullstream.vprintfError = ignore_vprintf;
(void)unber_stream("<fuzzed-input>", &mbs.istream, &nullstream);
return 0;
}
#ifndef ENABLE_LIBFUZZER
int main() {
printf("libfuzzer is not compiled-in, pretend the test went OK.\n");
return 0;
}
#endif
#!/bin/sh
FUZZ_TIME=${FUZZ_TIME:-10}
builddir=${builddir:-.}
env ${ASAN_ENV_FLAGS:-} ${builddir}/check_unber \
-timeout=3 \
-max_total_time=${FUZZ_TIME} \
-max_len=500
This diff is collapsed.
...@@ -38,6 +38,32 @@ int set_indent_size(int indent_size); ...@@ -38,6 +38,32 @@ int set_indent_size(int indent_size);
*/ */
int unber_file(const char *fname); int unber_file(const char *fname);
typedef struct input_stream {
/*
* Return the next character as if it were an unsigned int converted to
* an int. Returns -1 on EOF or error.
*/
int (*nextChar)(struct input_stream *);
/*
* Return the number of bytes consumed from the stream so far.
*/
off_t (*bytesRead)(struct input_stream *);
} input_stream_t;
typedef struct output_stream {
/*
* Return the next character as if it were an unsigned int converted to
* an int. Returns -1 on EOF or error.
*/
int (*vprintf)(struct output_stream *, const char *fmt, va_list);
int (*vprintfError)(struct output_stream *, const char *fmt, va_list);
} output_stream_t;
/*
* Lower level converter.
*/
int unber_stream(const char *fname, input_stream_t *, output_stream_t *);
/* /*
* Decode the TLV given by the given string. * Decode the TLV given by the given string.
*/ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment