OpenFIPS201 icon indicating copy to clipboard operation
OpenFIPS201 copied to clipboard

Published 20 hours ago verified publisher icon makinako

Overrun in TLV parser

Open dmercer-google opened this issue 1 year ago • 1 comments

The TLV parser will read nested TLVs beyond the length of their parent container. Consider the nested TLV below:

010108 020100 0303000000

this parses correctly.

Now consider the erroneous TLV below:

010106 020100 0303000000

This also parses with no error despite the length of the top level container being set, erroneously, to 6 vs 8.

We encountered this while reviewing our pre-personalization of the CHUID container. In our case we had changed from 1 byte to 3 byte container IDs but we had neglected to add 2 to the overall container length. Despite the error, pre-provisioning worked fine when it should have failed.

dmercer-google avatar Jul 26 '23 14:07 dmercer-google

This is correct and I've tagged it as a bug. My intention is to review the TLVReader class, but most importantly it needs a validate() method that checks the tag and length values for comformance and sanity before allowing it to be used.

Unfortunately as in your case, it 'failed successfully', which may result in other perso scripts that have worked in the past failing because they had incorrect length values on the outer container.

makinako avatar Aug 01 '23 01:08 makinako