Re: [opensc-devel] SIGSEGV print_tags_recursive - fix
Committed rev 3504.
On 4/28/08, Aktiv Co. Aleksey Samsonov [EMAIL PROTECTED] wrote:
Patch
opensc-0.11.4.trunk-r3502-fix-segv_print_tags_asn1.diff
(for trunk
trunk revision 3502) is draft.
Example 1 (SIGSEGV):
OpenSC Explorer version 0.11.4-svn
OpenSC [3F00] cd ff00
OpenSC [3F00/FF00] asn1 0001
Printing tags for buffer of length 512
[Switching to Thread -1211906368 (LWP 25131)]
Breakpoint 1, print_tags_recursive (buf0=0x8066060 , buf=0x8066060 ,
buflen=512, depth=0)
at asn1.c:219
219 size_t bytesleft = buflen;
(gdb) p *(char[512]*)buf
$21 = '\0' repeats 511 times
(gdb) bt
#0 print_tags_recursive (buf0=0x8066060 , buf=0x8066060 ,
buflen=512, depth=0) at asn1.c:219
#1 0xb7dc52d8 in sc_asn1_print_tags (buf=0x8066060 , buflen=512) at
asn1.c:292
#2 0x0804cd9e in do_asn1 (argc=1, argv=0xbfb95864) at
opensc-explorer.c:1571
#3 0x0804d4af in main (argc=1, argv=0xbfb95974) at opensc-explorer.c:1780
(gdb) until 230
print_tags_recursive (buf0=0x8066060 , buf=0x8066060 , buflen=512,
depth=0) at asn1.c:230
230 r = sc_asn1_read_tag(tagp, bytesleft, cla,
tag, len);
(gdb) p/x cla
$22 = 0xb7eea718
(gdb) p/x tag
$23 = 0xb7d9f8c8
(gdb) s
sc_asn1_read_tag (buf=0xbfb9572c, buflen=512, cla_out=0xbfb95734,
tag_out=0xbfb95730, taglen=0xbfb95728)
at asn1.c:56
56 const u8 *p = *buf;
(gdb)
57 size_t left = buflen, len;
(gdb)
60 if (left 2)
(gdb)
62 *buf = NULL;
(gdb)
63 if (*p == 0xff || *p == 0)
(gdb)
65 return SC_SUCCESS;
(gdb)
111 }
(gdb)
print_tags_recursive (buf0=0x8066060 , buf=0x8066060 , buflen=512,
depth=0) at asn1.c:231
231 if (r != SC_SUCCESS) {
(gdb) p/x cla
$24 = 0xb7eea718
(gdb) p/x tag
$25 = 0xb7d9f8c8
(gdb) n
235 hlen = tagp - p;
(gdb)
236 if (cla == 0 tag == 0) {
(gdb)
240 for (i = 0; i depth; i++) {
(gdb)
244 printf(%02X %s: tag 0x%02X, length %3d: ,
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0xb7dc5108 in print_tags_recursive (buf0=0x8066060 , buf=0x8066060 ,
buflen=512, depth=0)
at asn1.c:244
Example 2 (Illegal length!):
$ opensc-explorer
OpenSC Explorer version 0.11.4-svn
OpenSC [3F00] cd ff00
OpenSC [3F00/FF00] asn1 0001
Printing tags for buffer of length 512
30 Univ: tag 0x10, length 120: SEQUENCE
30 Univ: tag 0x10, length 39: SEQUENCE
0C Univ: tag 0x0C, length 30: UTF8STRING [Sample Private Key
(Aktiv Co.)]
03 Univ: tag 0x03, length 2: BIT STRING [11]
04 Univ: tag 0x04, length 1: OCTET STRING [02]
30 Univ: tag 0x10, length 55: SEQUENCE
04 Univ: tag 0x04, length 42: OCTET STRING
[4944206F662070616972206F66205253412073616D706C65206B6579732028416B74697620436F2E2900]
03 Univ: tag 0x03, length 2: BIT STRING [100]
03 Univ: tag 0x03, length 2: BIT STRING [11101]
02 Univ: tag 0x02, length 1: INTEGER [0]
A0 Cntx: tag 0x00, length 0:
A1 Cntx: tag 0x01, length 18:
30 Univ: tag 0x10, length 16: SEQUENCE
30 Univ: tag 0x10, length 10: SEQUENCE
04 Univ: tag 0x04, length 8: OCTET STRING [3F00FF00]
02 Univ: tag 0x02, length 2: INTEGER [512]
30 Univ: tag 0x10, length 120: Illegal length!
OpenSC [3F00/FF00] cat 0001
: 30 78 30 27 0C 1E 53 61 6D 70 6C 65 20 50 72 69
0010: 76 61 74 65 20 4B 65 79 20 28 41 6B 74 69 76 20
0020: 43 6F 2E 29 03 02 06 C0 04 01 02 30 37 04 2A 49
0030: 44 20 6F 66 20 70 61 69 72 20 6F 66 20 52 53 41
0040: 20 73 61 6D 70 6C 65 20 6B 65 79 73 20 28 41 6B
0050: 74 69 76 20 43 6F 2E 29 00 03 02 05 20 03 02 03
0060: B8 02 01 00 A0 00 A1 12 30 10 30 0A 04 08 3F 00
0070: FF 00 00 00 00 00 02 02 02 00 00 00 00 00 00 00
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
01F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
diff -u -r opensc-0.11.4.trunk-r3502/src/libopensc/asn1.c
opensc-0.11.4.trunk-r3502_new/src/libopensc/asn1.c
--- opensc-0.11.4.trunk-r3502/src/libopensc/asn1.c
2008-02-29 15:37:46.0 +0300
+++ opensc-0.11.4.trunk-r3502_new/src/libopensc/asn1.c
2008-04-28 17:11:00.0 +0400
@@ -223,7 +223,7 @@
const u8 *p = buf;
while (bytesleft = 2) {
- unsigned int cla, tag, hlen;
+ unsigned int cla = 0, tag = 0, hlen;
const u8 *tagp = p;
size_t len;
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
[opensc-devel] SIGSEGV print_tags_recursive - fix
Patch opensc-0.11.4.trunk-r3502-fix-segv_print_tags_asn1.diff (for trunk
trunk revision 3502) is draft.
Example 1 (SIGSEGV):
OpenSC Explorer version 0.11.4-svn
OpenSC [3F00] cd ff00
OpenSC [3F00/FF00] asn1 0001
Printing tags for buffer of length 512
[Switching to Thread -1211906368 (LWP 25131)]
Breakpoint 1, print_tags_recursive (buf0=0x8066060 , buf=0x8066060 ,
buflen=512, depth=0)
at asn1.c:219
219 size_t bytesleft = buflen;
(gdb) p *(char[512]*)buf
$21 = '\0' repeats 511 times
(gdb) bt
#0 print_tags_recursive (buf0=0x8066060 , buf=0x8066060 ,
buflen=512, depth=0) at asn1.c:219
#1 0xb7dc52d8 in sc_asn1_print_tags (buf=0x8066060 , buflen=512) at
asn1.c:292
#2 0x0804cd9e in do_asn1 (argc=1, argv=0xbfb95864) at
opensc-explorer.c:1571
#3 0x0804d4af in main (argc=1, argv=0xbfb95974) at opensc-explorer.c:1780
(gdb) until 230
print_tags_recursive (buf0=0x8066060 , buf=0x8066060 , buflen=512,
depth=0) at asn1.c:230
230 r = sc_asn1_read_tag(tagp, bytesleft, cla,
tag, len);
(gdb) p/x cla
$22 = 0xb7eea718
(gdb) p/x tag
$23 = 0xb7d9f8c8
(gdb) s
sc_asn1_read_tag (buf=0xbfb9572c, buflen=512, cla_out=0xbfb95734,
tag_out=0xbfb95730, taglen=0xbfb95728)
at asn1.c:56
56 const u8 *p = *buf;
(gdb)
57 size_t left = buflen, len;
(gdb)
60 if (left 2)
(gdb)
62 *buf = NULL;
(gdb)
63 if (*p == 0xff || *p == 0)
(gdb)
65 return SC_SUCCESS;
(gdb)
111 }
(gdb)
print_tags_recursive (buf0=0x8066060 , buf=0x8066060 , buflen=512,
depth=0) at asn1.c:231
231 if (r != SC_SUCCESS) {
(gdb) p/x cla
$24 = 0xb7eea718
(gdb) p/x tag
$25 = 0xb7d9f8c8
(gdb) n
235 hlen = tagp - p;
(gdb)
236 if (cla == 0 tag == 0) {
(gdb)
240 for (i = 0; i depth; i++) {
(gdb)
244 printf(%02X %s: tag 0x%02X, length %3d: ,
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0xb7dc5108 in print_tags_recursive (buf0=0x8066060 , buf=0x8066060 ,
buflen=512, depth=0)
at asn1.c:244
Example 2 (Illegal length!):
$ opensc-explorer
OpenSC Explorer version 0.11.4-svn
OpenSC [3F00] cd ff00
OpenSC [3F00/FF00] asn1 0001
Printing tags for buffer of length 512
30 Univ: tag 0x10, length 120: SEQUENCE
30 Univ: tag 0x10, length 39: SEQUENCE
0C Univ: tag 0x0C, length 30: UTF8STRING [Sample Private Key
(Aktiv Co.)]
03 Univ: tag 0x03, length 2: BIT STRING [11]
04 Univ: tag 0x04, length 1: OCTET STRING [02]
30 Univ: tag 0x10, length 55: SEQUENCE
04 Univ: tag 0x04, length 42: OCTET STRING
[4944206F662070616972206F66205253412073616D706C65206B6579732028416B74697620436F2E2900]
03 Univ: tag 0x03, length 2: BIT STRING [100]
03 Univ: tag 0x03, length 2: BIT STRING [11101]
02 Univ: tag 0x02, length 1: INTEGER [0]
A0 Cntx: tag 0x00, length 0:
A1 Cntx: tag 0x01, length 18:
30 Univ: tag 0x10, length 16: SEQUENCE
30 Univ: tag 0x10, length 10: SEQUENCE
04 Univ: tag 0x04, length 8: OCTET STRING [3F00FF00]
02 Univ: tag 0x02, length 2: INTEGER [512]
30 Univ: tag 0x10, length 120: Illegal length!
OpenSC [3F00/FF00] cat 0001
: 30 78 30 27 0C 1E 53 61 6D 70 6C 65 20 50 72 69
0010: 76 61 74 65 20 4B 65 79 20 28 41 6B 74 69 76 20
0020: 43 6F 2E 29 03 02 06 C0 04 01 02 30 37 04 2A 49
0030: 44 20 6F 66 20 70 61 69 72 20 6F 66 20 52 53 41
0040: 20 73 61 6D 70 6C 65 20 6B 65 79 73 20 28 41 6B
0050: 74 69 76 20 43 6F 2E 29 00 03 02 05 20 03 02 03
0060: B8 02 01 00 A0 00 A1 12 30 10 30 0A 04 08 3F 00
0070: FF 00 00 00 00 00 02 02 02 00 00 00 00 00 00 00
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
01F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
diff -u -r opensc-0.11.4.trunk-r3502/src/libopensc/asn1.c
opensc-0.11.4.trunk-r3502_new/src/libopensc/asn1.c
--- opensc-0.11.4.trunk-r3502/src/libopensc/asn1.c 2008-02-29
15:37:46.0 +0300
+++ opensc-0.11.4.trunk-r3502_new/src/libopensc/asn1.c 2008-04-28
17:11:00.0 +0400
@@ -223,7 +223,7 @@
const u8 *p = buf;
while (bytesleft = 2) {
- unsigned int cla, tag, hlen;
+ unsigned int cla = 0, tag = 0, hlen;
const u8 *tagp = p;
size_t len;
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
