Skip to content

Panic caused by out of bounds error in privkey parsing #3

New issue
New issue
Closed
Closed
Panic caused by out of bounds error in privkey parsing#3
@rozbb

Description

@rozbb
rozbb
opened on Apr 7, 2020

I found this by running AFL against the privkey parser. In openssh::Asn1::sequence there are the lines

let bytes = self.read_len()?;
let res = Asn1::new(&self.data[self.offset..self.offset+bytes]);

self.offset is bounds-checked at the beginning of the function, but bytes is not, or at least not sufficiently. Here's a private key that triggers a panic:

-----BEGIN RSA PRIVATE KEY-----
MIiCXAIBAAKBgQDApmvwhoDOXRlAl/lhWuFIuQ+hsjkgYBTJMh4xpkK1Uup8mhd/
ybbkT1Okx1UDcvYrmqQkYTbbrwnt5LtwTl9oYA8Q4XzWZf9XOmLpnQ9YL4srsaG+
vAgmGKgFl9Vo5En7QoTiqOD74sQxKRI+YgBAIuvZxsdVDyK6x3dhXHW7MwIDAQAB
AoGAIzLE6e9JPWsZIAokUDtQif718i8j7NxhL9luVtfvvD1oBlgJDxoFxnUP7T1W
NQkeHR1l/Bee9Eho4gQ2kvBe0dv4XV9HQlF5Ls/CGOqj88OHsjwg5JABhyQLCmZx
KPSF4CC1fsUM9AXOZETNM9hqvLU2oQ4HaOks9j/aKRXVw6ECQQDly2Iv7k3QU+t6
Z0VKxK0COuy2uT6w2TwUqIsSGciXBGenrld0y9mnCzWfC6yfgt4IKeaNcA6o+Rc+
4ofVh6UrAkEA1p6lQFwAKrJMjusqRUY2iml6ohKwV61/+1Bep4WtQ8Lu1zjmvU2Y
iDXLn4t+hrMmf8TwAMKqklXzIkrbJurOGQJALCmJJjMDK11lbPG55GOl6D7QzVEO
lkg5frLhf0oLPdKv5Q7haeXfX3YNCRLiSwmIiEMdNuNpPdoZOJGqj0PxXwJASJ8m
C8EVzVzHyxSIGSjJC8zlUjJAuWpcBA4N+WGiX2t2phz69tNq6axKWpI5HhtAy7s3
+wnj7eBnhRMPVPvfAQJBALNApqPxT3xgyklOujFp88kr85jDM/wtGU7zRa1Z96WS
DtML3UCMk7cuFELnQfpp0YL+WQ4JeuBtagjjHyh4c0A=
-----END RSA PRIVATE KEY-----

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions