Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/asn1: truncated ASN.1 with explicitly tagged elements can panic. #11154

Closed
agl opened this issue Jun 10, 2015 · 1 comment
Closed

encoding/asn1: truncated ASN.1 with explicitly tagged elements can panic. #11154

agl opened this issue Jun 10, 2015 · 1 comment
Assignees
Milestone

Comments

@agl
Copy link
Contributor

@agl agl commented Jun 10, 2015

Thanks to Kyle Isom for fuzzing and finding that it's possible to panic encoding/asn1.Unmarshal when ASN.1 data is truncated after an explicit tag.

This can affect the parsing of various ASN.1 structures, most importantly X.509 certificates. TLS servers without client-authentication enabled (which is the vast majority of them) should be unaffected. Also, even with client-authentication enabled, calling code often catches and handles any panics.

TLS clients can be forced into panicking if the server sends a suitably crafted certificate.

@agl agl self-assigned this Jun 10, 2015
@bradfitz bradfitz changed the title Truncated ASN.1 with explicitly tagged elements can panic. encoding/asn1: truncated ASN.1 with explicitly tagged elements can panic. Jun 10, 2015
@gopherbot
Copy link

@gopherbot gopherbot commented Jun 10, 2015

CL https://golang.org/cl/10712 mentions this issue.

@ianlancetaylor ianlancetaylor added this to the Go1.5 milestone Jun 10, 2015
@agl agl closed this in 38e3427 Jun 13, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.