Hi,
While hunting for certificates in a damaged archive, ssleay/openssl
dumped core; the offending byte sequence was
<valid asn1> <last byte of a sector> 2, <damaged sector> 0, 0.
Upon further investigation, d2i_ASN1_INTEGER, d2i_ASN1_ENUMERATED and
d2i_ASN1_OBJECT are vulnerable to zero-length as demonstrated in the
atached log. (needless to point out that carefully constructed ssl messages
can cause SSL servers to dump core/GPF).
Frans Heymans
openssl asn1parse <<EOF
-----BEGIN OPENSSL DUMPS CORE-----
MIAwgAEBAAAAMIACAAAAMIADAAAAMIAEAAAAMIAFAAAAMIAGAAAAMIAHAAAAMIAI
AAAAMIAJAAAAMIAKAAAAMIALAAAAMIAMAAAAMIANAAAAMIAOAAAAMIAPAAAAMIAS
AAAAMIATAAAAMIAUAAAAMIAVAAAAMIAWAAAAMIAXAAAAMIAYAAAAMIAZAAAAMIAa
AAAAMIAbAAAAMIAcAAAAMIAdAAAAMIAeAAAAAAA=
-----END OPENSSL DUMPS CORE-----
EOF
Before fix of d2i_ASN1_INTEGER:
0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l=inf cons: SEQUENCE
4:d=2 hl=2 l= 1 prim: BOOLEAN :0
7:d=2 hl=2 l= 0 prim: EOC
9:d=1 hl=2 l=inf cons: SEQUENCE
Segmentation fault (core dumped)
Before fix of d2i_ASN1_OBJECT:
0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l=inf cons: SEQUENCE
4:d=2 hl=2 l= 1 prim: BOOLEAN :0
7:d=2 hl=2 l= 0 prim: EOC
9:d=1 hl=2 l=inf cons: SEQUENCE
11:d=2 hl=2 l= 0 prim: INTEGER :00
13:d=2 hl=2 l= 0 prim: EOC
15:d=1 hl=2 l=inf cons: SEQUENCE
17:d=2 hl=2 l= 0 prim: BIT STRING
19:d=2 hl=2 l= 0 prim: EOC
21:d=1 hl=2 l=inf cons: SEQUENCE
23:d=2 hl=2 l= 0 prim: OCTET STRING
25:d=2 hl=2 l= 0 prim: EOC
27:d=1 hl=2 l=inf cons: SEQUENCE
29:d=2 hl=2 l= 0 prim: NULL
31:d=2 hl=2 l= 0 prim: EOC
33:d=1 hl=2 l=inf cons: SEQUENCE
ElectricFence Aborting: Allocating 0 bytes, probably a bug.
Illegal instruction (core dumped)
Before fix of d2i_ASN1_ENUMERATED:
0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l=inf cons: SEQUENCE
4:d=2 hl=2 l= 1 prim: BOOLEAN :0
7:d=2 hl=2 l= 0 prim: EOC
9:d=1 hl=2 l=inf cons: SEQUENCE
11:d=2 hl=2 l= 0 prim: INTEGER :00
13:d=2 hl=2 l= 0 prim: EOC
15:d=1 hl=2 l=inf cons: SEQUENCE
17:d=2 hl=2 l= 0 prim: BIT STRING
19:d=2 hl=2 l= 0 prim: EOC
21:d=1 hl=2 l=inf cons: SEQUENCE
23:d=2 hl=2 l= 0 prim: OCTET STRING
25:d=2 hl=2 l= 0 prim: EOC
27:d=1 hl=2 l=inf cons: SEQUENCE
29:d=2 hl=2 l= 0 prim: NULL
31:d=2 hl=2 l= 0 prim: EOC
33:d=1 hl=2 l=inf cons: SEQUENCE
35:d=2 hl=2 l= 0 prim: OBJECT :0.0
37:d=2 hl=2 l= 0 prim: EOC
39:d=1 hl=2 l=inf cons: SEQUENCE
41:d=2 hl=2 l= 0 prim: 7 (unknown)
43:d=2 hl=2 l= 0 prim: EOC
45:d=1 hl=2 l=inf cons: SEQUENCE
47:d=2 hl=2 l= 0 prim: 8 (unknown)
49:d=2 hl=2 l= 0 prim: EOC
51:d=1 hl=2 l=inf cons: SEQUENCE
53:d=2 hl=2 l= 0 prim: 9 (unknown)
55:d=2 hl=2 l= 0 prim: EOC
57:d=1 hl=2 l=inf cons: SEQUENCE
Segmentation fault (core dumped)
and finally:
0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l=inf cons: SEQUENCE
4:d=2 hl=2 l= 1 prim: BOOLEAN :0
7:d=2 hl=2 l= 0 prim: EOC
9:d=1 hl=2 l=inf cons: SEQUENCE
11:d=2 hl=2 l= 0 prim: INTEGER :00
13:d=2 hl=2 l= 0 prim: EOC
15:d=1 hl=2 l=inf cons: SEQUENCE
17:d=2 hl=2 l= 0 prim: BIT STRING
19:d=2 hl=2 l= 0 prim: EOC
21:d=1 hl=2 l=inf cons: SEQUENCE
23:d=2 hl=2 l= 0 prim: OCTET STRING
25:d=2 hl=2 l= 0 prim: EOC
27:d=1 hl=2 l=inf cons: SEQUENCE
29:d=2 hl=2 l= 0 prim: NULL
31:d=2 hl=2 l= 0 prim: EOC
33:d=1 hl=2 l=inf cons: SEQUENCE
35:d=2 hl=2 l= 0 prim: OBJECT :0.0
37:d=2 hl=2 l= 0 prim: EOC
39:d=1 hl=2 l=inf cons: SEQUENCE
41:d=2 hl=2 l= 0 prim: 7 (unknown)
43:d=2 hl=2 l= 0 prim: EOC
45:d=1 hl=2 l=inf cons: SEQUENCE
47:d=2 hl=2 l= 0 prim: 8 (unknown)
49:d=2 hl=2 l= 0 prim: EOC
51:d=1 hl=2 l=inf cons: SEQUENCE
53:d=2 hl=2 l= 0 prim: 9 (unknown)
55:d=2 hl=2 l= 0 prim: EOC
57:d=1 hl=2 l=inf cons: SEQUENCE
59:d=2 hl=2 l= 0 prim: ENUMERATED :00
61:d=2 hl=2 l= 0 prim: EOC
63:d=1 hl=2 l=inf cons: SEQUENCE
65:d=2 hl=2 l= 0 prim: 11 (unknown)
67:d=2 hl=2 l= 0 prim: EOC
69:d=1 hl=2 l=inf cons: SEQUENCE
71:d=2 hl=2 l= 0 prim: 12 (unknown)
73:d=2 hl=2 l= 0 prim: EOC
75:d=1 hl=2 l=inf cons: SEQUENCE
77:d=2 hl=2 l= 0 prim: 13 (unknown)
79:d=2 hl=2 l= 0 prim: EOC
81:d=1 hl=2 l=inf cons: SEQUENCE
83:d=2 hl=2 l= 0 prim: 14 (unknown)
85:d=2 hl=2 l= 0 prim: EOC
87:d=1 hl=2 l=inf cons: SEQUENCE
89:d=2 hl=2 l= 0 prim: 15 (unknown)
91:d=2 hl=2 l= 0 prim: EOC
93:d=1 hl=2 l=inf cons: SEQUENCE
95:d=2 hl=2 l= 0 prim: NUMERICSTRING
97:d=2 hl=2 l= 0 prim: EOC
99:d=1 hl=2 l=inf cons: SEQUENCE
101:d=2 hl=2 l= 0 prim: PRINTABLESTRING :
103:d=2 hl=2 l= 0 prim: EOC
105:d=1 hl=2 l=inf cons: SEQUENCE
107:d=2 hl=2 l= 0 prim: T61STRING :
109:d=2 hl=2 l= 0 prim: EOC
111:d=1 hl=2 l=inf cons: SEQUENCE
113:d=2 hl=2 l= 0 prim: VIDEOTEXSTRING
115:d=2 hl=2 l= 0 prim: EOC
117:d=1 hl=2 l=inf cons: SEQUENCE
119:d=2 hl=2 l= 0 prim: IA5STRING :
121:d=2 hl=2 l= 0 prim: EOC
123:d=1 hl=2 l=inf cons: SEQUENCE
125:d=2 hl=2 l= 0 prim: UTCTIME :
127:d=2 hl=2 l= 0 prim: EOC
129:d=1 hl=2 l=inf cons: SEQUENCE
131:d=2 hl=2 l= 0 prim: GENERALIZEDTIME :
133:d=2 hl=2 l= 0 prim: EOC
135:d=1 hl=2 l=inf cons: SEQUENCE
137:d=2 hl=2 l= 0 prim: GRAPHICSTRING
139:d=2 hl=2 l= 0 prim: EOC
141:d=1 hl=2 l=inf cons: SEQUENCE
143:d=2 hl=2 l= 0 prim: VISIBLESTRING :
145:d=2 hl=2 l= 0 prim: EOC
147:d=1 hl=2 l=inf cons: SEQUENCE
149:d=2 hl=2 l= 0 prim: GENERALSTRING
151:d=2 hl=2 l= 0 prim: EOC
153:d=1 hl=2 l=inf cons: SEQUENCE
155:d=2 hl=2 l= 0 prim: UNIVERSALSTRING
157:d=2 hl=2 l= 0 prim: EOC
159:d=1 hl=2 l=inf cons: SEQUENCE
161:d=2 hl=2 l= 0 prim: 29 (unknown)
163:d=2 hl=2 l= 0 prim: EOC
165:d=1 hl=2 l=inf cons: SEQUENCE
167:d=2 hl=2 l= 0 prim: BMPSTRING
169:d=2 hl=2 l= 0 prim: EOC
171:d=1 hl=2 l= 0 prim: EOC
*** crypto/asn1/orig/a_object.c Wed Jul 28 00:22:55 1999
--- crypto/asn1/a_object.c Thu Dec 9 12:50:12 1999
***************
*** 223,229 ****
if ((ret->data == NULL) || (ret->length < len))
{
if (ret->data != NULL) Free((char *)ret->data);
! ret->data=(unsigned char *)Malloc((int)len);
ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
if (ret->data == NULL)
{ i=ERR_R_MALLOC_FAILURE; goto err; }
--- 223,229 ----
if ((ret->data == NULL) || (ret->length < len))
{
if (ret->data != NULL) Free((char *)ret->data);
! ret->data=(unsigned char *)Malloc(len ? (int)len : 1);
ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
if (ret->data == NULL)
{ i=ERR_R_MALLOC_FAILURE; goto err; }
*** crypto/asn1/orig/a_int.c Thu Jun 24 03:50:27 1999
--- crypto/asn1/a_int.c Thu Dec 9 14:26:24 1999
***************
*** 190,195 ****
--- 190,196 ----
goto err;
}
to=s;
+ if (len) {
if (*p & 0x80) /* a negative number */
{
ret->type=V_ASN1_NEG_INTEGER;
***************
*** 229,234 ****
--- 230,236 ----
len--;
}
memcpy(s,p,(int)len);
+ }
}
if (ret->data != NULL) Free((char *)ret->data);
*** crypto/asn1/orig/a_enum.c Fri May 14 20:21:14 1999
--- crypto/asn1/a_enum.c Thu Dec 9 13:21:28 1999
***************
*** 171,176 ****
--- 171,177 ----
goto err;
}
to=s;
+ if (len) {
if (*p & 0x80) /* a negative number */
{
ret->type=V_ASN1_NEG_ENUMERATED;
***************
*** 206,211 ****
--- 207,213 ----
}
memcpy(s,p,(int)len);
p+=len;
+ }
}
if (ret->data != NULL) Free((char *)ret->data);
