Buffer Overflow in gnutls_pk.c/_gnutls_pkcs1_rsa_decrypt

[Michal Ambroz]

Hello,

As a result of bug in openvas-libraries I hit buffer overflow condition in 
gnutls.

This code in gnutls (gnutls_pk.c:220) will overwrite the stack because the
function trusts that the declared size of the pk_params.params will be bigger
than the size of parameters from the configured pkcs11 key:

209 _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
210                            const gnutls_datum_t * ciphertext,
211                            bigint_t * params, unsigned params_len,
212                            unsigned btype)
213 {
214   unsigned int k, i;
215   int ret;
216   size_t esize, mod_bits;
217   gnutls_pk_params_st pk_params;
218 
219   for (i = 0; i < params_len; i++)
220     pk_params.params[i] = params[i];
221   pk_params.params_nr = params_len;
222

On the GnuTLS side I would recommed to either:
1) log an error and exit gracefully if calling params_len is greater than the 
struct size
2) log an error and limit the for cycle with the min(params_len, 
sizeof(pk_params.params) ) 
to ensure that the buffer will not get overwritten with broken or intentionally 
crafted data.


Best regards
Michal Ambroz