[Mono-dev] [PATCH] Perform bounds check when getting length from TLV
Greg Suarez
gpsuarez2512 at gmail.com
Tue Mar 21 22:27:24 UTC 2017
Some files with a malformed (malicious?) digital signature causes Decode()
in ASN1.cs to go into an infinite loop,
consuming more and more memory until the process is killed by the kernel
(tested on Linux).
---
mcs/class/Mono.Security/Mono.Security/ASN1.cs | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/mcs/class/Mono.Security/Mono.Security/ASN1.cs
b/mcs/class/Mono.Security/Mono.Security/ASN1.cs
index 751a2ece4e6..d350f6fbf14 100644
--- a/mcs/class/Mono.Security/Mono.Security/ASN1.cs
+++ b/mcs/class/Mono.Security/Mono.Security/ASN1.cs
@@ -250,6 +250,11 @@ namespace Mono.Security {
// sometimes we get trailing 0
if (nTag == 0)
continue;
+ if (anPos + nLength > anLength)
+ {
+ anPos = anLength;
+ break;
+ }
ASN1 elm = Add (new ASN1 (nTag, aValue));
--
2.11.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dot.net/pipermail/mono-devel-list/attachments/20170321/13ae7cb8/attachment.html>
More information about the Mono-devel-list
mailing list