search

mirleft / ocaml-asn1-combinators

Embed typed ASN.1 grammars in OCaml
ISC License
35 stars 20 forks source link

Int64 overflow when parsing structure length #24

Closed emillon closed 4 years ago

emillon commented 5 years ago

Hi,

As #23 this was found in a Wycheproof test case.

When parsing BER, the length of structures is computed on int64s, which can overflow. The following case is accepted, while it should be rejected:

  anticase "structure length overflow"
  Asn.S.(sequence (single (required integer))) [
    [ (* sequence; length is encoded in next 9 bytes *)
      0x30; 0x89;
      (* len = 2**64 + 3 *)
      0x01; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x03;
      (* integer, len = 1 *)
      0x02; 0x01;
      (* value = 0 *)
      0x00;
    ]];

Note that the same starting with 0x30 0x89 0x00 should be accepted since it's a valid encoding of len=3.

Thanks!

pqwy commented 5 years ago

This is handled there.

Unfortunately, 1,818,000,000 executions later, and I still cannot get AFL to detect this. I suspect that the guided fuzzing it's employing is a little blind to overflows -- as long as they are memory-safe -- as they don't change the control flow. :cry:

hannesm commented 4 years ago

thanks, this is fixed and part of the 0.2.1 release. closing.