Bug#499945: Segfault in asn1_get_tag_der().

Fri Sep 26 20:26:29 UTC 2008

reassign 499945 lynx-cur 2.8.7dev9-2
thanks

On Fri, Sep 26, 2008 at 07:41:46PM +0200, Andreas Metzler wrote:
> On 2008-09-23 Kurt Roeckx <kurt at roeckx.be> wrote:
> > Package: libtasn1-3
> > Version: 1.4-1
> > Severity: grave
> 
> > Hi,
> 
> 
> > When I run "lynx https://acrobat.com", I end up with a segfault.  The
> > backtrace looks like:
> 
> FWIW lynx+gnutls+tasn all built with -O0 gives a tiny bit of
> additional info:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007fc5fe8f0df7 in asn1_get_tag_der (
>     der=0x700000000000046 <Address 0x700000000000046 out of bounds>, 
>     der_len=33, cls=0x7fff07e49f07 "", len=0x7fff07e49f14, tag=0x7fff07e49f08)
>     at decoding.c:127
> 127       *cls = der[0] & 0xE0;
> (gdb) bt
> #0  0x00007fc5fe8f0df7 in asn1_get_tag_der (
>     der=0x700000000000046 <Address 0x700000000000046 out of bounds>, 
>     der_len=33, cls=0x7fff07e49f07 "", len=0x7fff07e49f14, tag=0x7fff07e49f08)
>     at decoding.c:127
> #1  0x00007fc5fe8f164e in _asn1_extract_tag_der (node=0x247aba0, 
>     der=0x700000000000046 <Address 0x700000000000046 out of bounds>, 
>     der_len=33, ret_len=0x7fff07e49f9c) at decoding.c:424
> #2  0x00007fc5fe8f22df in asn1_der_decoding (element=0x2448fd0, 
>     ider=0x700000000000046, len=33, errorDescription=0x0) at decoding.c:920
> #3  0x00007fc5ff566a0f in gnutls_x509_crt_import (cert=0x2448fd0, 
>     data=0x2435180, format=GNUTLS_X509_FMT_DER) at x509.c:213

The first problem I see is here:
#4  0xf7e0af92 in gnutls_x509_crt_import (cert=0x870d540, data=0x860f0a8,
    format=GNUTLS_X509_FMT_DER) at x509.c:178
    178       _data.data = data->data;
(gdb) p data
$1 = (const gnutls_datum_t *) 0x860f0a8
(gdb) p data->data
$2 = (unsigned char *) 0x61636900 <Address 0x61636900 out of bounds>

data seems to be allocated from 0x860f0a0 to 0x860f0a7.

The trace goes on like:
(gdb) up
#5  0x081f58f0 in ExtractCertificate (cert=0x860f0a8, result=0x8774000)
    at ./tidy_tls.c:31
31              if ((rc = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER)) >= 0) {
(gdb) up
#6  0x081f79ec in X509_get_issuer_name (cert=0x860f0a0) at ./tidy_tls.c:573
573             if (ExtractCertificate(&cert[1], result) < 0) {
				       ^^^^^^^^

That doesn't look normal to me.

(gdb) up
#7  0x0820f7f7 in show_cert_issuer (peer_cert=0x860f0a0)
    at ../../../WWW/Library/Implementation/HTTP.c:459
459         X509_NAME_oneline(X509_get_issuer_name(peer_cert), ssl_dn, sizeof(ssl_dn));
#8  0x082115ea in HTLoadHTTP (arg=0x8613e40 "https://acrobat.com/",
    anAnchor=0x85ce800, format_out=0x85be210, sink=0x0)
    at ../../../WWW/Library/Implementation/HTTP.c:953
953             show_cert_issuer(peer_cert);

Where peer_cert is:
    X509 *peer_cert;            /* The peer certificate */
[...]
        peer_cert = SSL_get_peer_certificate(handle);
        X509_NAME_oneline(X509_get_subject_name(peer_cert),

Which would make it a bug in lynx, so I'm reassigning it.

Changing the cert[1] into cert[0] stops the segfault, but I doubt
that's a good fix for the problem.

Kurt