function "asn1_der_decoding" potentially causes infinite memory allocation
Description of problem:
function "asn1_der_decoding" causes infinite memory allocation when structure and input DER data are incongruent. I'm referring here to PKCS#15 TokenInfo from ASN.1 module e.g. at https://github.com/carblue/tasn1/blob/master/PKCS15.asn. Excerpt: TokenInfo ::= SEQUENCE { version INTEGER { v1(0), v2(1) }, -- (v1,...), serialNumber OCTET STRING, manufacturerID Label OPTIONAL, label [0] Label OPTIONAL, tokenflags TokenFlags, ...more fields
It happened, that my smart card's PKCS#15 EF.TokenInfo file 0x5032 got corrupted (i.e. not PKCS#15 compliant content any more: "tokenflags" were misplaced before "manufacturerID" instead correctly behind "label"), thus forming incrongruent input DER data.
Version of libtasn1 used:
4.13
Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)
Ubuntu (package libtasn1-6, installs Version 4.13-2)
How reproducible:
Steps to Reproduce: (the following is D language code, slightly different from C; there is no problem referring to D code as such, it works well with the "congruent buf DER input data"):
asn1_node PKCS15; string errorDescription; ubyte[] buf = new ubyte[length_of_input_data_in_bytes; 65 for my example DER input data];
-
- asn1_parser2tree ("PKCS15.asn", &PKCS15, errorDescription);
-
- asn1_create_element(PKCS15, "PKCS15.TokenInfoChoice", &structure);
-
- asn1_der_decoding(&structure, buf, errorDescription);
Example for congruent buf DER input data: 303F0201010406C0C6406881C70C1A416476616E63656420436172642053797374656D73204C74642E801243544D36345F43304336343036383831433703020420
Example for incongruent buf DER input data: 3032020101040400000000030204200C1A416476616E63656420436172642053797374656D73204C74642EA0070C05626162616E36343036383831433703020420
Actual results:
Memory allocation failed, because I "jailed" memory usage with ulimit -d -m -v : 5000000; otherwise it would crash my OS system by infinitely allocating memory !
Expected results:
Successful DER data decoding into structure based on the provided .asn module file