botan icon indicating copy to clipboard operation
botan copied to clipboard
verified publisher icon randombit

Undefined shift in IPAddressOrRange

Open randombit opened this issue 7 months ago • 1 comments

OSS-Fuzz 420401644 just posting this publicly since it's not in a release

@arckoor can you take a look?

/src/botan/src/lib/x509/x509_ext.cpp:1324:62: runtime error: shift exponent 32 is too large for 32-bit type 'int'
	    #0 0x567f4e426b45 in Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange<(Botan::Cert_Extension::IPAddressBlocks::Version)16>::decode_from(Botan::BER_Decoder&) [botan/src/lib/x509/x509_ext.cpp:0](https://github.com/randombit/botan/blob/5fbcc7daa2be40fc662e48343882f7abc8827a94/src/lib/x509/x509_ext.cpp#L0)
	    #1 0x567f4e2d0640 in Botan::BER_Decoder::decode(Botan::ASN1_Object&, Botan::ASN1_Type, Botan::ASN1_Class) [botan/src/lib/asn1/ber_dec.cpp:371](https://github.com/randombit/botan/blob/5fbcc7daa2be40fc662e48343882f7abc8827a94/src/lib/asn1/ber_dec.cpp#L371):8

Hex encoding of the minimized test case

308201B830820162A003020102021020202020202020202020202020202020300D06092A864886F70D0101050500300D310B30090603202020B6022020301E170D3130303931313131313133375A170D3231303930313134343131395A300D310B300906032020201E022020305C300D0606FF202020202020202020200320002020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020A3819D30819A304906082B06010505070107043D303B302004030002203080030320202003032020200303FF20202003202020200320202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020FF300D06092A864886F70D010105050003410020202020202020202020FFFF20202020202020202020202020202020202020202020202020202020202020FF2020202020202020202020202020202020202020

randombit avatar May 29 '25 13:05 randombit

Ah, I see what's going on: we never assert that unused_bits is actually something sensible, so nothing is stopping someone from encoding a 32 or larger there and cause the above. Will address in #4890, along with something way more spicy I also found today. ~~Though I don't yet quite understand how it got to 32 in the first place, that should all be uint8_ts 🤔~~ Cpp does not, in fact, cast the 1 we shift with to a u8 at compile time like I assumed

arckoor avatar May 29 '25 16:05 arckoor