Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
A
asn1c
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Libraries
asn1c
Commits
6ccf7437
Commit
6ccf7437
authored
Jan 21, 2019
by
Lev Walkin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[unber] fix buffer overrun in the BER introspection and debugging tool (unber)
parent
ccfaf2ab
Changes
8
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
300 additions
and
101 deletions
+300
-101
.gitignore
.gitignore
+1
-0
AUTHORS
AUTHORS
+1
-0
ChangeLog
ChangeLog
+16
-12
asn1-tools/unber/Makefile.am
asn1-tools/unber/Makefile.am
+15
-1
asn1-tools/unber/check_unber.c
asn1-tools/unber/check_unber.c
+65
-0
asn1-tools/unber/check_unber.sh
asn1-tools/unber/check_unber.sh
+9
-0
asn1-tools/unber/libasn1_unber_tool.c
asn1-tools/unber/libasn1_unber_tool.c
+167
-88
asn1-tools/unber/libasn1_unber_tool.h
asn1-tools/unber/libasn1_unber_tool.h
+26
-0
No files found.
.gitignore
View file @
6ccf7437
...
@@ -38,6 +38,7 @@ stamp-h*
...
@@ -38,6 +38,7 @@ stamp-h*
# /asn1c-tools
# /asn1c-tools
/asn1-tools/enber/enber
/asn1-tools/enber/enber
/asn1-tools/unber/unber
/asn1-tools/unber/unber
/asn1-tools/unber/check_unber
# /skeletons
# /skeletons
/skeletons/check-*
/skeletons/check-*
...
...
AUTHORS
View file @
6ccf7437
...
@@ -6,6 +6,7 @@ Bi-Ruei, Chiu <biruei.chiu@gmail.com>
...
@@ -6,6 +6,7 @@ Bi-Ruei, Chiu <biruei.chiu@gmail.com>
Daniele Varrazzo <daniele.varrazzo@gmail.com>
Daniele Varrazzo <daniele.varrazzo@gmail.com>
Denis Filatov (DanyaFilatov @ github)
Denis Filatov (DanyaFilatov @ github)
daa @ github
daa @ github
Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
Erika Thorsen (akire @ github)
Erika Thorsen (akire @ github)
gareins @ github
gareins @ github
johvik @ github
johvik @ github
...
...
ChangeLog
View file @
6ccf7437
...
@@ -24,18 +24,22 @@
...
@@ -24,18 +24,22 @@
* uper_encode() API got new argument (breaks API compatibility).
* uper_encode() API got new argument (breaks API compatibility).
* asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs.
* asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs.
FIXES:
FIXES IN COMPILER-GENERATED OUTPUT:
* CVE-2017-12966 verified not present.
* Fix incomplete (failed) CHOICE XER decoding memory leak.
* Fix incomplete (failed) CHOICE XER decoding memory leak.
(Severity: medium; Security impact: medium)
(Severity: medium; Security impact: medium)
* Fix REAL type overwrite conversion memory leak.
* Fix REAL type overwrite conversion memory leak.
(Severity: low; Security impact: medium)
(Severity: low; Security impact: medium)
* Fix UPER string decoding constrained only by lower bound > 0
* Fix UPER string decoding constrained only by lower bound > 0
(Severity: low; Security impact: none)
(Severity: low; Security impact: none)
* Fix UPER decoding of large [bit-]strings of size a multiple of 16K
* Fix UPER decoding of large [bit-]strings of size a multiple of 16K
(Severity: low; Security impact: none)
(Severity: low; Security impact: none)
* Fix XER decoder crash on maliciously constructed ENUMERATED input.
* Fix XER decoder crash on maliciously constructed ENUMERATED input.
(Severity: medium; Security impact: medium)
(Severity: medium; Security impact: medium)
FIXES IN TOOLING:
* CVE-2017-12966 verified not present.
* Fix `unber` buffer overrun. Reported by Eric Sesterhenn.
(Severity: low; Security impact: high)
0.9.28: 2017-03-26
0.9.28: 2017-03-26
* PER decoding: avoid memory leak on error. By github.com/simo5
* PER decoding: avoid memory leak on error. By github.com/simo5
...
...
asn1-tools/unber/Makefile.am
View file @
6ccf7437
...
@@ -11,7 +11,21 @@ noinst_LTLIBRARIES = libasn1-unber-tool.la
...
@@ -11,7 +11,21 @@ noinst_LTLIBRARIES = libasn1-unber-tool.la
libasn1_unber_tool_la_SOURCES
=
\
libasn1_unber_tool_la_SOURCES
=
\
libasn1_unber_tool.c libasn1_unber_tool.h
libasn1_unber_tool.c libasn1_unber_tool.h
bin_PROGRAMS
=
unber
unber_LDADD
=
libasn1-unber-tool.la
\
unber_LDADD
=
libasn1-unber-tool.la
\
$(top_builddir)
/libasn1common/libasn1common.la
$(top_builddir)
/libasn1common/libasn1common.la
bin_PROGRAMS
=
unber
check_PROGRAMS
=
check_unber
check_unber_CFLAGS
=
$(TESTSUITE_CFLAGS)
$(LIBFUZZER_CFLAGS)
check_unber_LDADD
=
libasn1-unber-tool.la
\
$(top_builddir)
/libasn1common/libasn1common.la
dist_check_SCRIPTS
=
check_unber.sh
# This jump through the shell is needed to run ./check_unber binary with
# proper fuzzing options.
TESTS_ENVIRONMENT
=
\
ASAN_ENV_FLAGS
=
"@ASAN_ENV_FLAGS@"
\
builddir
=
${builddir}
TESTS
=
check_unber.sh
asn1-tools/unber/check_unber.c
0 → 100644
View file @
6ccf7437
#include "asn1_common.h"
#include "libasn1_unber_tool.h"
// An abstraction for getting data from the in-memory buffer.
struct
memory_buffer_stream
{
input_stream_t
istream
;
const
uint8_t
*
data
;
size_t
size
;
size_t
offset
;
};
static
int
memory_buffer_stream_nextChar
(
input_stream_t
*
ibs
)
{
struct
memory_buffer_stream
*
bs
=
(
struct
memory_buffer_stream
*
)
ibs
;
if
(
bs
->
offset
<
bs
->
size
)
{
return
bs
->
data
[
bs
->
offset
++
];
}
else
{
return
-
1
;
}
}
static
off_t
memory_buffer_stream_bytesRead
(
input_stream_t
*
ibs
)
{
struct
memory_buffer_stream
*
bs
=
(
struct
memory_buffer_stream
*
)
ibs
;
return
(
off_t
)
bs
->
offset
;
}
static
int
ignore_vprintf
(
output_stream_t
*
os
,
const
char
*
fmt
,
va_list
ap
)
{
(
void
)
os
;
(
void
)
fmt
;
(
void
)
ap
;
// Ignore all output.
return
0
;
}
int
LLVMFuzzerTestOneInput
(
const
uint8_t
*
Data
,
size_t
Size
);
int
LLVMFuzzerTestOneInput
(
const
uint8_t
*
Data
,
size_t
Size
)
{
// Read from a memory buffer.
struct
memory_buffer_stream
mbs
;
mbs
.
istream
.
nextChar
=
memory_buffer_stream_nextChar
;
mbs
.
istream
.
bytesRead
=
memory_buffer_stream_bytesRead
;
mbs
.
data
=
Data
;
mbs
.
size
=
Size
;
mbs
.
offset
=
0
;
// Do not print anywhere.
struct
output_stream
nullstream
;
nullstream
.
vprintf
=
ignore_vprintf
;
nullstream
.
vprintfError
=
ignore_vprintf
;
(
void
)
unber_stream
(
"<fuzzed-input>"
,
&
mbs
.
istream
,
&
nullstream
);
return
0
;
}
#ifndef ENABLE_LIBFUZZER
int
main
()
{
printf
(
"libfuzzer is not compiled-in, pretend the test went OK.
\n
"
);
return
0
;
}
#endif
asn1-tools/unber/check_unber.sh
0 → 100755
View file @
6ccf7437
#!/bin/sh
FUZZ_TIME
=
${
FUZZ_TIME
:-
10
}
builddir
=
${
builddir
:-
.
}
env
${
ASAN_ENV_FLAGS
:-}
${
builddir
}
/check_unber
\
-timeout
=
3
\
-max_total_time
=
${
FUZZ_TIME
}
\
-max_len
=
500
asn1-tools/unber/libasn1_unber_tool.c
View file @
6ccf7437
This diff is collapsed.
Click to expand it.
asn1-tools/unber/libasn1_unber_tool.h
View file @
6ccf7437
...
@@ -38,6 +38,32 @@ int set_indent_size(int indent_size);
...
@@ -38,6 +38,32 @@ int set_indent_size(int indent_size);
*/
*/
int
unber_file
(
const
char
*
fname
);
int
unber_file
(
const
char
*
fname
);
typedef
struct
input_stream
{
/*
* Return the next character as if it were an unsigned int converted to
* an int. Returns -1 on EOF or error.
*/
int
(
*
nextChar
)(
struct
input_stream
*
);
/*
* Return the number of bytes consumed from the stream so far.
*/
off_t
(
*
bytesRead
)(
struct
input_stream
*
);
}
input_stream_t
;
typedef
struct
output_stream
{
/*
* Return the next character as if it were an unsigned int converted to
* an int. Returns -1 on EOF or error.
*/
int
(
*
vprintf
)(
struct
output_stream
*
,
const
char
*
fmt
,
va_list
);
int
(
*
vprintfError
)(
struct
output_stream
*
,
const
char
*
fmt
,
va_list
);
}
output_stream_t
;
/*
* Lower level converter.
*/
int
unber_stream
(
const
char
*
fname
,
input_stream_t
*
,
output_stream_t
*
);
/*
/*
* Decode the TLV given by the given string.
* Decode the TLV given by the given string.
*/
*/
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment