Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parsing malformed RSA key can try to allocate huge amount of memory #563

Open
utikeev opened this issue May 22, 2024 · 1 comment
Open

Parsing malformed RSA key can try to allocate huge amount of memory #563

utikeev opened this issue May 22, 2024 · 1 comment

Comments

@utikeev
Copy link

utikeev commented May 22, 2024

KeyPairRSA.parse method has several similar sections where the DER fields are parsed, e.g.:

jsch/src/main/java/com/jcraft/jsch/KeyPairRSA.java

Lines 237 to 246 in 1021900

length = plain[index++] & 0xff;
if ((length & 0x80) != 0) {
int foo = length & 0x7f;
length = 0;
while (foo-- > 0) {
length = (length << 8) + (plain[index++] & 0xff);
}
}
n_array = new byte[length];
System.arraycopy(plain, index, n_array, 0, length);

Length of the field presented in the long form can be up to 2^1008-1 (126 bytes). After this length is read, JSch tries to allocate a byte array of such size without checking that such amount of bytes can be even read from the stream itself. As length is int it can't be bigger than 2^31 - 1, but that's still 2Gb of memory allocated that might easily lead to OutOfMemoryError.

Payload to reproduce the problem:

-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKEf////w==
-----END RSA PRIVATE KEY-----
@utikeev
Copy link
Author

utikeev commented May 23, 2024

DSA parsing also seems to be affected by this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@utikeev