#367

Author: usr3-1415

BackendAst/DAstConstruction.fs

@@ -1127,6 +1127,7 @@ let calculateFunctionToBeGenerated (r:Asn1AcnAst.AstRoot) (us:State) =
     let functionCalls = us.functionCalls
     let requiresUPER = r.args.encodings |> Seq.exists ( (=) Asn1Encoding.UPER)
     let requiresAcn = r.args.encodings |> Seq.exists ( (=) Asn1Encoding.ACN)
+    let requiresXer = r.args.encodings |> Seq.exists ( (=) Asn1Encoding.XER)
 
     let functionTypes =  
         seq {
@@ -1135,6 +1136,7 @@ let calculateFunctionToBeGenerated (r:Asn1AcnAst.AstRoot) (us:State) =
             if r.args.GenerateEqualFunctions then yield EqualFunctionType; 
             if requiresUPER then yield UperEncDecFunctionType; 
             if requiresAcn then yield AcnEncDecFunctionType; 
+            if requiresXer then yield XerEncDecFunctionType;
         } |> Seq.toList
 
     (*

FrontEndAst/AcnCreateFromAntlr.fs

@@ -43,10 +43,14 @@ let private getIntSizeProperty  errLoc (props:GenericAcnProperty list) =
     | Some (GP_NullTerminated   )   ->
         match tryGetProp props (fun x -> match x with TERMINATION_PATTERN e -> Some e | _ -> None) with
         | Some bitPattern    ->
+            printfn "bitPattern: %A" bitPattern
+            printfn "bitPattern.Value.Length: %A" bitPattern.Value.Length
             match bitPattern.Value.Length % 8 <> 0 with
             | true  -> raise(SemanticError(bitPattern.Location, sprintf "termination-pattern value must be a sequence of bytes"  ))
             | false ->
                 let ba = bitStringValueToByteArray bitPattern |> Seq.toList
+                if ba.Length > 10 then
+                    raise(SemanticError(bitPattern.Location, "termination-pattern cannot exceed 10 bytes"))
                 Some(AcnGenericTypes.IntNullTerminated ba)
         | None      -> Some(AcnGenericTypes.IntNullTerminated ([byte 0]))
     | Some (GP_SizeDeterminant _)   -> raise(SemanticError(errLoc ,"Expecting an Integer value or an ACN constant as value for the size property"))
@@ -70,6 +74,8 @@ let private getStringSizeProperty (minSize:BigInteger) (maxSize:BigInteger) errL
             | true  -> raise(SemanticError(bitPattern.Location, sprintf "termination-pattern value must be a sequence of bytes"  ))
             | false ->
                 let ba = bitStringValueToByteArray bitPattern |> Seq.toList
+                if ba.Length > 10 then
+                    raise(SemanticError(bitPattern.Location, "termination-pattern cannot exceed 10 bytes"))
                 Some(AcnGenericTypes.StrNullTerminated ba)
         | None      -> Some(AcnGenericTypes.StrNullTerminated ([byte 0]))
     | Some (GP_SizeDeterminant fld)   -> (Some (AcnGenericTypes.StrExternalField fld))

StgAda/xer_a.stg

@@ -282,6 +282,11 @@ adaasn1rtl.encoding.xer.Xer_DecodeComplexElementStart(bs, <sTag>, ret);
 if ret.Success then
     <sI> := 1;
     while ret.Success and  not adaasn1rtl.encoding.xer.Xer_NextEndElementIs(bs, <sTag>) loop
+        if <sI> > <nSizeMax> then
+            ret.Success := False;
+            ret.ErrorCode := <sErrCode>;
+            exit;
+        end if;
 	    <sChildBody>
 	    <sI> := <sI> + 1;
     end loop;

StgC/xer_c.stg

@@ -263,6 +263,11 @@ if (ret) {
     <sI> = 0;
     while(ret && !Xer_NextEndElementIs(pByteStrm, <sTag>))
     {
+        if (<sI> >= <nSizeMax>) {
+            ret = FALSE;
+            *pErrCode = <sErrCode>;
+            break;
+        }
 	    <sChildBody>
 	    <sI>++;
 	    <if(!bFixedSize)><p><sAcc>nCount++;<endif>

asn1crt/asn1crt_encoding_acn.c

@@ -855,16 +855,16 @@ flag Acn_Dec_UInt_ASCII_VarSize_NullTerminated(BitStream* pBitStrm, asn1SccUint*
 	memset(tmp, 0x0, 10);
 
 	//read null_character_size characters into the tmp buffer
-	for (int j = 0; j < (int)null_characters_size; j++) {
+	for (int j = 0; j < (int)sz; j++) {
 		if (!BitStream_ReadByte(pBitStrm, &(tmp[j])))
 			return FALSE;
 	}
 
 	while (memcmp(null_characters, tmp, sz) != 0) {
 		digit = tmp[0];
-		for (int j = 0; j < (int)null_characters_size - 1; j++)
+		for (int j = 0; j < (int)sz - 1; j++)
 			tmp[j] = tmp[j + 1];
-		if (!BitStream_ReadByte(pBitStrm, &(tmp[null_characters_size - 1])))
+		if (!BitStream_ReadByte(pBitStrm, &(tmp[sz - 1])))
 			return FALSE;
 
 		digit = (byte)((int)digit - '0');
@@ -1324,7 +1324,7 @@ flag Acn_Dec_String_Ascii_Null_Terminated_mult(BitStream* pBitStrm, asn1SccSint
 	memset(tmp, 0x0, 10);
 	memset(strVal, 0x0, (size_t)max + 1);
 	//read null_character_size characters into the tmp buffer
-	for (int j = 0; j < (int)null_character_size; j++) {
+	for (int j = 0; j < (int)sz; j++) {
 		if (!BitStream_ReadByte(pBitStrm, &(tmp[j])))
 			return FALSE;
 	}
@@ -1333,9 +1333,9 @@ flag Acn_Dec_String_Ascii_Null_Terminated_mult(BitStream* pBitStrm, asn1SccSint
 	while (i <= max && (memcmp(null_character, tmp, sz) != 0)) {
 		strVal[i] = tmp[0];
 		i++;
-		for (int j = 0; j < (int)null_character_size - 1; j++)
+		for (int j = 0; j < (int)sz - 1; j++)
 			tmp[j] = tmp[j + 1];
-		if (!BitStream_ReadByte(pBitStrm, &(tmp[null_character_size - 1])))
+		if (!BitStream_ReadByte(pBitStrm, &(tmp[sz - 1])))
 			return FALSE;
 	}
 

v4Tests/security-regression/case1_xer_primitive_overflow/README.md

@@ -0,0 +1,33 @@
+# Case 1 – XER Primitive Decoder Buffer Overflow (Issue #367)
+
+This directory contains a security regression test for a buffer overflow that previously existed in the XER primitive decoder.
+
+The issue affected `Xer_DecodePrimitiveElement()`, which copied decoded XML content into a fixed-size buffer without bounds checking. A malicious XER/XML input with oversized element content could trigger a buffer overflow and crash the decoder.
+
+This test verifies that the decoder now **fails safely** (returns an error) instead of overflowing memory.
+
+## Contents
+
+- `a.asn`  
+  Minimal ASN.1 grammar used to generate a XER decoder.
+
+- `malicious.xml`  
+  Crafted XER input with oversized element content intended to trigger the overflow.
+
+- `reproduce_issue.sh`  
+  Script that:
+  1. Runs `asn1scc` with XER support
+  2. Builds the generated code
+  3. Invokes the decoder on `malicious.xml`
+
+- `SECURITY_ISSUE_1_XER_BUFFER_OVERFLOW.md`  
+  Original security report and proposed fix.
+
+## How to run
+
+From this directory:
+
+```bash
+./reproduce_issue.sh
+```
+This will execute the test and demonstrate that the decoder now handles the malicious input without crashing, confirming that the buffer overflow has been mitigated.

v4Tests/security-regression/case1_xer_primitive_overflow/SECURITY_ISSUE_1_XER_BUFFER_OVERFLOW.md

@@ -0,0 +1,110 @@
+# Security Issue: XER Primitive Decoder Buffer Overflow
+
+## Summary
+
+`Xer_DecodePrimitiveElement` copies XML element content into a caller-supplied buffer without bounds checking. Malformed XER input with oversized element content can overflow fixed-size stack buffers.
+
+## Location
+
+- **File:** `asn1crt/asn1crt_encoding_xer.c`
+- **Function:** `Xer_DecodePrimitiveElement` (lines 248-330)
+- **Exposed via:** `Xer_DecodeString`, `Xer_DecodeOctetString`, `Xer_DecodeObjectIdentifier`, etc.
+
+## Affected Code
+
+```c
+while (c != '<')
+{
+    if (!GetNextChar(pByteStrm, &c))
+        return FALSE;
+    if (c == '<') {
+        *pDecodedValue = 0x0;
+        pDecodedValue++;
+        break;
+    }
+
+    *pDecodedValue = c;   // No bounds check
+    pDecodedValue++;
+}
+```
+
+## Impact
+
+- Callers use fixed buffers: 256 bytes (integers), 1024 bytes (octet strings, OIDs), 2048 bytes (bit strings)
+- `Xer_DecodeString` passes through user buffer with unknown size
+- Overflow corrupts stack, may enable code execution or crash
+
+## Prerequisites
+
+1. Application uses `-XER` flag during code generation
+2. Application decodes XER/XML data from untrusted source
+3. Attacker provides element content exceeding buffer size
+
+## CVSS v3.1 Estimate
+
+**Vector:** `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`  
+**Score:** 7.5 (High) - assuming XER decoder processes network input
+
+If code execution is achievable: `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` = 8.1
+
+*Note: Real-world impact depends on whether XER is used with untrusted input.*
+
+## Suggested Fix
+
+```diff
+--- a/asn1crt/asn1crt_encoding_xer.c
++++ b/asn1crt/asn1crt_encoding_xer.c
+@@ -245,8 +245,9 @@ flag Xer_EncodePrimitiveElement(ByteStream* pByteStrm, const char* elementTag, c
+ }
+ 
+ 
+-flag Xer_DecodePrimitiveElement(ByteStream* pByteStrm, const char* elementTag, char* pDecodedValue, int *pErrCode)
++flag Xer_DecodePrimitiveElement(ByteStream* pByteStrm, const char* elementTag, char* pDecodedValue, size_t maxLen, int *pErrCode)
+ {
++	size_t written = 0;
+ 	Token t;
+ 	char c = 0x0;
+ 
+@@ -288,12 +289,17 @@ flag Xer_DecodePrimitiveElement(ByteStream* pByteStrm, const char* elementTag, c
+ 	while (c != '<')
+ 	{
+ 		if (!GetNextChar(pByteStrm, &c))
+ 			return FALSE;
+ 		if (c == '<') {
+ 			*pDecodedValue = 0x0;
+ 			break;
+ 		}
++		if (written >= maxLen - 1) {
++			*pErrCode = ERR_INVALID_XML_FILE;
++			return FALSE;
++		}
+ 		*pDecodedValue = c;
+ 		pDecodedValue++;
++		written++;
+ 	}
+ 
+ 	PushBackChar(pByteStrm);
+```
+
+Update all callers to pass buffer size:
+
+```diff
+--- a/asn1crt/asn1crt_encoding_xer.c
++++ b/asn1crt/asn1crt_encoding_xer.c
+@@ -707,7 +707,7 @@ flag Xer_DecodeInteger(ByteStream* pByteStrm, const char* elementTag, asn1SccSin
+ {
+ 	char tmp[256];
+ 	memset(tmp, 0x0, sizeof(tmp));
+-	if (!Xer_DecodePrimitiveElement(pByteStrm, elementTag, tmp, pErrCode))
++	if (!Xer_DecodePrimitiveElement(pByteStrm, elementTag, tmp, sizeof(tmp), pErrCode))
+ 		return FALSE;
+ 	*value = atoll(tmp);
+ 	return TRUE;
+```
+
+## Testing
+
+1. Create XER input with element content > 2048 bytes
+2. Decode using generated XER decoder
+3. Verify decoder returns error instead of crashing
+

v4Tests/security-regression/case1_xer_primitive_overflow/a.asn

@@ -0,0 +1,26 @@
+MOD-A DEFINITIONS ::=
+BEGIN
+
+	MyInt ::= INTEGER (0..40)
+	BYTE  ::= INTEGER (0..255) 
+	RGB ::= SEQUENCE {
+		r BYTE,
+		g BYTE,
+		c BYTE
+	} 
+
+	PDU ::= SEQUENCE {
+		a INTEGER (0..10),
+		b INTEGER (0..10),
+		c MyInt,
+		d BYTE
+		
+	}
+
+	DUMMY ::= SEQUENCE {
+		c INTEGER (0..10),
+		d INTEGER (0..10)
+	}
+
+END
+

v4Tests/security-regression/case1_xer_primitive_overflow/malicious.xml

@@ -0,0 +1 @@
+<PDU><a>111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111</a><b>1</b><c>1</c><d>1</d></PDU>

v4Tests/security-regression/case1_xer_primitive_overflow/reproduce_issue.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+
+# Configuration
+ASN1SCC="asn1scc.exe"
+OUT_DIR="c_out"
+RUNNER="runner.c"
+RUNNER_EXE="runner.exe"
+XML_FILE="malicious.xml"
+
+# Cleanup previous run
+rm -rf $OUT_DIR $RUNNER $RUNNER_EXE $XML_FILE
+
+# 1. Generate Code using asn1scc
+echo "Step 1: Generating C code..."
+mkdir -p $OUT_DIR
+$ASN1SCC -XER -c -o $OUT_DIR -atc a.asn
+if [ $? -ne 0 ]; then
+    echo "Error: ASN1SCC compilation failed."
+    exit 1
+fi
+
+# 2. Prepare Input (Malicious XML)
+echo "Step 2: Creating malicious input ($XML_FILE)..."
+# Create a string of 300 '1's for the integer 'a' to overflow the 256 byte buffer
+# We construct the payload manually to ensure portability
+PAYLOAD=""
+for i in {1..300}; do PAYLOAD="${PAYLOAD}1"; done
+
+# Note: The structure is PDU ::= SEQUENCE { a INTEGER, b INTEGER, c MyInt, d BYTE }
+# XML format for XER usually uses the field names as tags.
+echo "<PDU><a>$PAYLOAD</a><b>1</b><c>1</c><d>1</d></PDU>" > $XML_FILE
+
+# 3. Create Test Runner dynamically
+echo "Step 3: Creating runner source code..."
+cat << 'EOF' > $RUNNER
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* Include generated headers */
+#include "a.h" 
+
+int main() {
+    const char *filename = "malicious.xml";
+    FILE *f = fopen(filename, "rb");
+    if (!f) {
+        fprintf(stderr, "Error: Could not open %s\n", filename);
+        return 1;
+    }
+
+    fseek(f, 0, SEEK_END);
+    long fsize = ftell(f);
+    fseek(f, 0, SEEK_SET);
+
+    char *buffer = (char *)malloc(fsize + 1);
+    if (!buffer) {
+        fprintf(stderr, "Error: Memory allocation failed\n");
+        fclose(f);
+        return 1;
+    }
+
+    size_t read_size = fread(buffer, 1, fsize, f);
+    buffer[read_size] = 0;
+    fclose(f);
+
+    printf("Read %ld bytes from %s\n", (long)read_size, filename);
+
+    /* Initialize decoding structures */
+    PDU pdu;
+    PDU_Initialize(&pdu);
+
+    ByteStream strm;
+    ByteStream_Init(&strm, (byte*)buffer, read_size);
+
+    int errorCode = 0;
+    
+    printf("Attempting to decode malicious input...\n");
+    flag result = PDU_XER_Decode(&pdu, &strm, &errorCode);
+
+    free(buffer);
+
+    /* Validation Logic */
+    /* If the fix works, it should detect the overflow/length and return FALSE */
+    if (result == 0) { /* FALSE is 0 */
+        printf("PASS: Decode failed as expected. Error Code: %d\n", errorCode);
+        return 0;
+    } else {
+        printf("FAIL: Decode succeeded unexpectedly! Buffer overflow check missing.\n");
+        return 1;
+    }
+}
+EOF
+
+# 4. Compile
+echo "Step 4: Compiling test runner..."
+gcc -o $RUNNER_EXE $RUNNER \
+    $OUT_DIR/a.c \
+    $OUT_DIR/asn1crt.c \
+    $OUT_DIR/asn1crt_encoding.c \
+    $OUT_DIR/asn1crt_encoding_xer.c \
+    -I$OUT_DIR
+
+if [ $? -ne 0 ]; then
+    echo "Error: Compilation failed."
+    exit 1
+fi
+
+# 5. Run Test
+echo "Step 5: Running test..."
+./$RUNNER_EXE
+RET_CODE=$?
+
+if [ $RET_CODE -eq 0 ]; then
+    echo "Test Result: PASS"
+else
+    echo "Test Result: FAIL"
+fi
+
+exit $RET_CODE