Stack overflow in gnutls_pkcs11_token_init()

Hello GnuTLS team,

We believe that we have discovered a potential security vulnerability in gnutls related to PKCS#11 token initialization. It appears to be a stack-based buffer overflow in gnutls_pkcs11_token_init() ("lib/pkcs11_write.c") due to an unbounded memcpy into a fixed-size stack buffer.

Summary: An attacker-controlled label (longer than 32 bytes) is copied into a 32-byte stack buffer without length checks, leading to out-of-bounds writes, process crash, or potential code execution depending on hardening.

char flabel[32];
/* so it seems memset has other uses than zeroing! */
memset(flabel, ' ', sizeof(flabel));
if (label != NULL)
memcpy(flabel, label, strlen(label)); /* no bounds check */

Proposed fix:

--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -1209,8 +1209,12 @@ gnutls_pkcs11_token_init(const char *token_url,
const char *so_pin,
- memset(flabel, ' ', sizeof(flabel));
- if (label != NULL)
- memcpy(flabel, label, strlen(label));
+ memset(flabel, ' ', sizeof(flabel));
+ if (label != NULL) {
+ size_t l = strlen(label);
+ if (l > sizeof(flabel))
+ l = sizeof(flabel);
+ memcpy(flabel, label, l);
+ }

Thanks for taking a look into this. If you need any more information let me know.

Best,

Luigino Camastra Aisle Research