[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Buffer Overflow in gnutls_pk.c/_gnutls_pkcs1_rsa_decrypt
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Buffer Overflow in gnutls_pk.c/_gnutls_pkcs1_rsa_decrypt |
|
Date: |
Mon, 09 Jan 2012 23:50:44 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111114 Icedove/3.1.16 |
On 01/09/2012 10:28 PM, Michal Ambroz wrote:
> Hello,
> As a result of bug in openvas-libraries I hit buffer overflow
> condition in gnutls. This code in gnutls (gnutls_pk.c:220) will
> overwrite the stack because the function trusts that the declared
> size of the pk_params.params will be bigger than the size of
> parameters from the configured pkcs11 key:
Hello,
I would be curious on how you reached the buffer overflow. This is an
internal function and its input is controlled by its callers.
> 2) log an error and limit the for cycle with the min(params_len,
> sizeof(pk_params.params) )
> to ensure that the buffer will not get overwritten with broken or
> intentionally crafted data.
Although having a sanity check there is useful, how could intentionally
crafted data reach that point?
regards,
Nikos