mouse07410/asn1c Heap Out-of-Bounds Read Vulnerability in OER Decoder for INTEGER Type

A memory safety vulnerability has been identified in the OER decoding skeleton files generated by mouse07410/asn1c, specifically in versions 1.4 and earlier. The vulnerability arises when the decoder processes a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type. The decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB), leading to a precise 1-byte heap out-of-bounds read. This vulnerability can be exploited by remote attackers, causing a denial-of-service (DoS) condition or triggering incorrect integer interpretations in downstream applications, such as protocol state poisoning or logic bypass.

Impact

Exploitation of this vulnerability causes a heap out-of-bounds read, which can lead to a segmentation fault, creating a denial-of-service condition. Additionally, if the out-of-bounds read occurs mid-buffer, it can corrupt data structures by incorrectly interpreting integer values, without raising a parsing error.

Reproduction

The vulnerability can be reproduced by generating an OER decoder skeleton for an ASN.1 schema that defines a variable-length, non-negative INTEGER type. After compiling the generated decoder with a proof-of-concept harness that simulates the malicious payload, the decoder can be observed to read out of bounds, either causing a segmentation fault or silently corrupting data.

Remediation

A proposed patch is to implement a validation check in the INTEGER OER decoding function to ensure that the length parameter is greater than zero before extracting the Most Significant Bit. However, this patch should be tested thoroughly to avoid unintended side effects.