Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic caused by out of bounds error in privkey parsing #3

Closed
rozbb opened this issue Apr 7, 2020 · 2 comments
Closed

Panic caused by out of bounds error in privkey parsing #3

rozbb opened this issue Apr 7, 2020 · 2 comments

Comments

@rozbb
Copy link

rozbb commented Apr 7, 2020

I found this by running AFL against the privkey parser. In openssh::Asn1::sequence there are the lines

let bytes = self.read_len()?;
let res = Asn1::new(&self.data[self.offset..self.offset+bytes]);

self.offset is bounds-checked at the beginning of the function, but bytes is not, or at least not sufficiently. Here's a private key that triggers a panic:

-----BEGIN RSA PRIVATE KEY-----
MIiCXAIBAAKBgQDApmvwhoDOXRlAl/lhWuFIuQ+hsjkgYBTJMh4xpkK1Uup8mhd/
ybbkT1Okx1UDcvYrmqQkYTbbrwnt5LtwTl9oYA8Q4XzWZf9XOmLpnQ9YL4srsaG+
vAgmGKgFl9Vo5En7QoTiqOD74sQxKRI+YgBAIuvZxsdVDyK6x3dhXHW7MwIDAQAB
AoGAIzLE6e9JPWsZIAokUDtQif718i8j7NxhL9luVtfvvD1oBlgJDxoFxnUP7T1W
NQkeHR1l/Bee9Eho4gQ2kvBe0dv4XV9HQlF5Ls/CGOqj88OHsjwg5JABhyQLCmZx
KPSF4CC1fsUM9AXOZETNM9hqvLU2oQ4HaOks9j/aKRXVw6ECQQDly2Iv7k3QU+t6
Z0VKxK0COuy2uT6w2TwUqIsSGciXBGenrld0y9mnCzWfC6yfgt4IKeaNcA6o+Rc+
4ofVh6UrAkEA1p6lQFwAKrJMjusqRUY2iml6ohKwV61/+1Bep4WtQ8Lu1zjmvU2Y
iDXLn4t+hrMmf8TwAMKqklXzIkrbJurOGQJALCmJJjMDK11lbPG55GOl6D7QzVEO
lkg5frLhf0oLPdKv5Q7haeXfX3YNCRLiSwmIiEMdNuNpPdoZOJGqj0PxXwJASJ8m
C8EVzVzHyxSIGSjJC8zlUjJAuWpcBA4N+WGiX2t2phz69tNq6axKWpI5HhtAy7s3
+wnj7eBnhRMPVPvfAQJBALNApqPxT3xgyklOujFp88kr85jDM/wtGU7zRa1Z96WS
DtML3UCMk7cuFELnQfpp0YL+WQ4JeuBtagjjHyh4c0A=
-----END RSA PRIVATE KEY-----
@tailhook
Copy link
Owner

tailhook commented Apr 7, 2020
edited
Loading

Fixed. Thanks!

I assumed that if you put the "key" here, I can use it in tests. Let me know if I'm wrong.

Also it's interesting that previuos fuzzy testing didn't caught this.

@rozbb
Copy link
Author

rozbb commented Apr 8, 2020

Woah, that was a super quick response! Thanks for looking at this. Yeah, the key I put here isn't sensitive at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tailhook @rozbb