Skip to content

Fix erroneous success in AsnDecoder.ReadEncodedValue #109586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bartonjs merged 1 commit into from
Nov 6, 2024
Merged

Fix erroneous success in AsnDecoder.ReadEncodedValue #109586

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/libraries/System.Formats.Asn1/src/System/Formats/Asn1/AsnDecoder.Sequence.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public static void ReadSequence(

if (length.HasValue)
{
if (length.Value + headerLength > source.Length)
if (length.Value > source.Length - headerLength)
{
throw GetValidityException(LengthValidity.LengthExceedsInput);
}
Expand Down
237 changes: 237 additions & 0 deletions src/libraries/System.Formats.Asn1/tests/Decoder/ReadEncodedValueTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.

using Test.Cryptography;
using Xunit;

namespace System.Formats.Asn1.Tests.Decoder
{
public sealed class ReadEncodedValueTests
{
[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ReadEncodedValue_Primitive(AsnEncodingRules ruleSet)
{
// OCTET STRING (6 content bytes)
// NULL
ReadOnlySpan<byte> data =
[
0x04, 0x06, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
0x05, 0x00,
];

ExpectSuccess(data, ruleSet, Asn1Tag.PrimitiveOctetString, 2, 6);
}

[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ReadEncodedValue_Indefinite(AsnEncodingRules ruleSet)
{
// CONSTRUCTED OCTET STRING (indefinite)
// OCTET STRING (1 byte)
// OCTET STRING (5 bytes)
// END OF CONTENTS
// NULL
ReadOnlySpan<byte> data =
[
0x24, 0x80,
0x04, 0x01, 0x01,
0x04, 0x05, 0x02, 0x03, 0x04, 0x05, 0x06,
0x00, 0x00,
0x05, 0x00,
];

// BER: Indefinite length encoding is OK, no requirements on the contents.
// CER: Indefinite length encoding is required for CONSTRUCTED, the contents are invalid for OCTET STRING,
// but (Try)ReadEncodedValue doesn't pay attention to that.
// DER: Indefinite length encoding is never permitted.

if (ruleSet == AsnEncodingRules.DER)
{
ExpectFailure(data, ruleSet);
}
else
{
ExpectSuccess(data, ruleSet, Asn1Tag.ConstructedOctetString, 2, 10, indefiniteLength: true);
}
}

[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ReadEncodedValue_DefiniteConstructed(AsnEncodingRules ruleSet)
{
// CONSTRUCTED OCTET STRING (11 bytes)
// OCTET STRING (1 byte)
// OCTET STRING (5 bytes)
// NULL
ReadOnlySpan<byte> data =
[
0x24, 0x0A,
0x04, 0x01, 0x01,
0x04, 0x05, 0x02, 0x03, 0x04, 0x05, 0x06,
0x05, 0x00,
];

// BER: Indefinite length encoding is OK, no requirements on the contents.
// CER: Indefinite length encoding is required for CONSTRUCTED, so fail.
// DER: CONSTRUCTED OCTET STRING is not permitted, but ReadEncodedValue doesn't check for that,
// since the length is in minimal representation, the read is successful

if (ruleSet == AsnEncodingRules.CER)
{
ExpectFailure(data, ruleSet);
}
else
{
ExpectSuccess(data, ruleSet, Asn1Tag.ConstructedOctetString, 2, 10);
}
}

[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ReadEncodedValue_OutOfBoundsLength(AsnEncodingRules ruleSet)
{
// SEQUENCE (3 bytes), but only one byte remains.
ReadOnlySpan<byte> data = [0x30, 0x03, 0x00];

ExpectFailure(data, ruleSet);
}

[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ReadEncodedValue_LargeOutOfBoundsLength(AsnEncodingRules ruleSet)
{
// SEQUENCE (int.MaxValue bytes), but no bytes remain.
ReadOnlySpan<byte> data = [0x30, 0x84, 0x7F, 0xFF, 0xFF, 0xFF];

ExpectFailure(data, ruleSet);
}

[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ReadEncodedValue_ExtremelyLargeLength(AsnEncodingRules ruleSet)
{
if (!Environment.Is64BitProcess)
{
return;
}

// OCTET STRING ((int.MaxValue - 6) bytes), span will be inflated to make it look valid.
byte[] data = "04847FFFFFF9".HexToByteArray();

unsafe
{
fixed (byte* ptr = data)
{
// Verify that the length can be interpreted this large, but that it doesn't read that far.
ReadOnlySpan<byte> span = new ReadOnlySpan<byte>(ptr, int.MaxValue);
ExpectSuccess(span, ruleSet, Asn1Tag.PrimitiveOctetString, 6, int.MaxValue - 6);
}
}
}

private static void ExpectSuccess(
ReadOnlySpan<byte> data,
AsnEncodingRules ruleSet,
Asn1Tag expectedTag,
int expectedContentOffset,
int expectedContentLength,
bool indefiniteLength = false)
{
Asn1Tag tag;
int contentOffset;
int contentLength;
int bytesConsumed;

bool read = AsnDecoder.TryReadEncodedValue(
data,
ruleSet,
out tag,
out contentOffset,
out contentLength,
out bytesConsumed);

Assert.True(read, "AsnDecoder.TryReadEncodedValue unexpectedly returned false");
Assert.Equal(expectedTag, tag);
Assert.Equal(expectedContentOffset, contentOffset);
Assert.Equal(expectedContentLength, contentLength);

int expectedBytesConsumed = expectedContentOffset + expectedContentLength + (indefiniteLength ? 2 : 0);
Assert.Equal(expectedBytesConsumed, bytesConsumed);

contentOffset = contentLength = bytesConsumed = default;

tag = AsnDecoder.ReadEncodedValue(
data,
ruleSet,
out contentOffset,
out contentLength,
out bytesConsumed);

Assert.Equal(expectedTag, tag);
Assert.Equal(expectedContentOffset, contentOffset);
Assert.Equal(expectedContentLength, contentLength);
Assert.Equal(expectedBytesConsumed, bytesConsumed);
}

private static void ExpectFailure(ReadOnlySpan<byte> data, AsnEncodingRules ruleSet)
{
Asn1Tag tag;
int contentOffset;
int contentLength;
int bytesConsumed;

bool read = AsnDecoder.TryReadEncodedValue(
data,
ruleSet,
out tag,
out contentOffset,
out contentLength,
out bytesConsumed);

Assert.False(read, "AsnDecoder.TryReadEncodedValue unexpectedly returned true");
Assert.Equal(default, tag);
Assert.Equal(default, contentOffset);
Assert.Equal(default, contentLength);
Assert.Equal(default, bytesConsumed);

int seed = Environment.CurrentManagedThreadId;
Asn1Tag seedTag = new Asn1Tag(TagClass.Private, seed, (seed & 1) == 0);
tag = seedTag;
contentOffset = contentLength = bytesConsumed = seed;

try
{
tag = AsnDecoder.ReadEncodedValue(
data,
ruleSet,
out contentOffset,
out contentLength,
out bytesConsumed);

Assert.Fail("ReadEncodedValue should have thrown AsnContentException");
}
catch (AsnContentException e)
{
Assert.IsType<AsnContentException>(e);
}

Assert.Equal(seedTag, tag);
Assert.Equal(seed, contentOffset);
Assert.Equal(seed, contentLength);
Assert.Equal(seed, bytesConsumed);
}
}
}
28 changes: 28 additions & 0 deletions src/libraries/System.Formats.Asn1/tests/Reader/ReadSequence.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -405,5 +405,33 @@ public static void ReadSequenceOf_PreservesOptions(AsnEncodingRules ruleSet)
outer.ThrowIfNotEmpty();
initial.ThrowIfNotEmpty();
}

[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ExtremelyLargeContentLength(AsnEncodingRules ruleSet)
{
int start = Environment.CurrentManagedThreadId;
int contentOffset = start;
int contentLength = start;
int bytesConsumed = start;

ReadOnlySpan<byte> input = [0x30, 0x84, 0x7F, 0xFF, 0xFF, 0xFF, 0x00, 0x00];

try
{
AsnDecoder.ReadSequence(input, ruleSet, out contentOffset, out contentLength, out bytesConsumed);
Assert.Fail("ReadSequence should have thrown AsnContentException");
}
catch (AsnContentException e)
{
Assert.IsType<AsnContentException>(e);
}

Assert.Equal(start, contentOffset);
Assert.Equal(start, contentLength);
Assert.Equal(start, bytesConsumed);
}
}
}
28 changes: 28 additions & 0 deletions src/libraries/System.Formats.Asn1/tests/Reader/ReadSetOf.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -390,5 +390,33 @@ public static void ReadSetOf_PreservesOptions(AsnEncodingRules ruleSet)
outer.ThrowIfNotEmpty();
initial.ThrowIfNotEmpty();
}

[Theory]
[InlineData(AsnEncodingRules.BER)]
[InlineData(AsnEncodingRules.CER)]
[InlineData(AsnEncodingRules.DER)]
public static void ExtremelyLargeContentLength(AsnEncodingRules ruleSet)
{
int start = Environment.CurrentManagedThreadId;
int contentOffset = start;
int contentLength = start;
int bytesConsumed = start;

ReadOnlySpan<byte> input = [0x31, 0x84, 0x7F, 0xFF, 0xFF, 0xFF, 0x00, 0x00];

try
{
AsnDecoder.ReadSetOf(input, ruleSet, out contentOffset, out contentLength, out bytesConsumed);
Assert.Fail("ReadSetOf should have thrown AsnContentException");
}
catch (AsnContentException e)
{
Assert.IsType<AsnContentException>(e);
}

Assert.Equal(start, contentOffset);
Assert.Equal(start, contentLength);
Assert.Equal(start, bytesConsumed);
}
}
}
1 change: 1 addition & 0 deletions src/libraries/System.Formats.Asn1/tests/System.Formats.Asn1.Tests.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
</PropertyGroup>
<ItemGroup>
<Compile Include="Asn1TagTests.cs" />
<Compile Include="Decoder\ReadEncodedValueTests.cs" />
<Compile Include="Reader\ComprehensiveReadTests.cs" />
<Compile Include="Reader\OverlappedReads.cs" />
<Compile Include="Reader\ParseTag.cs" />
Expand Down