[PATCH] Perform bounds check when getting length from TLV

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] Perform bounds check when getting length from TLV

Greg Suarez
Some files with a malformed (malicious?) digital signature causes Decode() in ASN1.cs to go into an infinite loop,
consuming more and more memory until the process is killed by the kernel (tested on Linux).

---
 mcs/class/Mono.Security/Mono.Security/ASN1.cs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mcs/class/Mono.Security/Mono.Security/ASN1.cs b/mcs/class/Mono.Security/Mono.Security/ASN1.cs
index 751a2ece4e6..d350f6fbf14 100644
--- a/mcs/class/Mono.Security/Mono.Security/ASN1.cs
+++ b/mcs/class/Mono.Security/Mono.Security/ASN1.cs
@@ -250,6 +250,11 @@ namespace Mono.Security {
  // sometimes we get trailing 0
  if (nTag == 0)
  continue;
+                if (anPos + nLength > anLength)
+                {
+                    anPos = anLength;
+                    break;
+                }
 
  ASN1 elm = Add (new ASN1 (nTag, aValue));
 
-- 
2.11.0


_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Loading...