Fixed crash on assert in parse_cred_mgmt_subcommandparams() #558

DanielCohenHillel · 2021-06-17T19:55:09Z

There was no check that the map value was actually a byte string, this makes it
possible to pass invalid input into cbor_value_copy_byte_string() function from
tinycbor. There is an assertion to check the type of the input, and it is possible
to make it fail.

Here is an example payload that would make the assertion fail:

\x41\x41\x41\x41\x90\x00\x10\x41\xa1\x02\xa1\x01\x62\x58\x58

Payload structure explenation:

CID: "AAAA"
CMD: CTAPHID_CBOR (0x90)
BCNT: 16
SUBCMD: CTAP_CBOR_CRED_MGMT_PRE (0x41)
- MAP {
  - CM_subCommandParams MAP {
    - CM_subCommandRpId = "XX" // <== regular string, not byte string
      }
      }

There was no check that the map value was actually a byte string, this makes it possible to pass invalid input into cbor_value_copy_byte_string() function from tinycbor. There is an assert to check the type of the input, and it is possible to make it fail. Here is an example payload that would make the assertion fail: \x41\x41\x41\x41\x90\x00\x10\x41\xa1\x02\xa1\x01\x62\x58\x58 Payload structure explenation: * CID: "AAAA" * CMD: CTAPHID_CBOR (0x90) * BCNT: 16 * SUBCMD: CTAP_CBOR_CRED_MGMT_PRE (0x41) * MAP { * CM_subCommandParams MAP { * CM_subCommandRpId = "XX" // <== regular string, not byte string } }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixed crash on assert in parse_cred_mgmt_subcommandparams() #558

Fixed crash on assert in parse_cred_mgmt_subcommandparams() #558

DanielCohenHillel commented Jun 17, 2021

Fixed crash on assert in parse_cred_mgmt_subcommandparams() #558

Are you sure you want to change the base?

Fixed crash on assert in parse_cred_mgmt_subcommandparams() #558

Conversation

DanielCohenHillel commented Jun 17, 2021