encode_ber_digest_info: added sanity check

Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15665 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2019-07-08 19:33:50 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2019-07-08 19:37:20 +0200
commit: ed93d5f01d7c118c9f6ded65495b9787a9c80fee (patch)
tree: 15dcdaa59450d71976c6c4b1c6dd69d44a1a500b
parent: b50f6c63189043ab2cce2fba641c1512fe61da7b (diff)
download: gnutls-ed93d5f01d7c118c9f6ded65495b9787a9c80fee.tar.gz
2 files changed, 4 insertions, 0 deletions
diff --git a/fuzz/gnutls_x509_verify_fuzzer.repro/5b24d9a0bdb049a203a1fac98d2854bbc6062195 b/fuzz/gnutls_x509_verify_fuzzer.repro/5b24d9a0bdb049a203a1fac98d2854bbc6062195
new file mode 100644
index 0000000000..86b66c022c
--- /dev/null
+++ b/fuzz/gnutls_x509_verify_fuzzer.repro/5b24d9a0bdb049a203a1fac98d2854bbc6062195
diff --git a/lib/pk.c b/lib/pk.c
index 1887063eb0..debcc2ac09 100644
--- a/lib/pk.c
+++ b/lib/pk.c
@@ -598,6 +598,10 @@ encode_ber_digest_info(const mac_entry_st * e,
 	uint8_t *tmp_output;
 	int tmp_output_size;
 
+	/* prevent asn1_write_value() treating input as string */
+	if (digest->size == 0)
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
 	algo = _gnutls_x509_mac_to_oid(e);
 	if (algo == NULL) {
 		gnutls_assert();
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-07-08 19:33:50 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-07-08 19:37:20 +0200
commit	ed93d5f01d7c118c9f6ded65495b9787a9c80fee (patch)
tree	15dcdaa59450d71976c6c4b1c6dd69d44a1a500b
parent	b50f6c63189043ab2cce2fba641c1512fe61da7b (diff)
download	gnutls-ed93d5f01d7c118c9f6ded65495b9787a9c80fee.tar.gz