s-expression parser datalen overflow
Testing, NormalPublic
Actions

Assigned To

Authored By

	• werner
	Mon, May 18, 10:21 AM

Description

Snippet from a report we received on 2026-05-17:

Libgcrypt accepts a canonical atom length that is larger than what its
internal S-expression representation can safely store, so it later
remembers the wrong end of the atom and can read past the end of the heap
buffer.

More specifically, the canonical LEN:DATA parser accepts
attacker-controlled atom lengths larger than 65535 bytes. That length is
later stored in the internal DATALEN field, which is 16-bit. When the
oversized length is stored, it is silently truncated. From that point on,
the parser and the internal representation no longer agree about where the
atom actually ends.

Reported-by: Ciwan Öztopal

Revisions and Commits

rC libgcrypt
	rC5b0d3ff94500 sexp: Add length check DATALEN when parsing SEXP.

Event Timeline

• werner created this task.Mon, May 18, 10:21 AM

• werner created this object in space Restricted Space.

• werner created this object with edit policy "Contributor (Project)".

I added checks:

libgcrypt-sexp-datalen-fix.patch3 KBDownload

• gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Jun 1, 3:26 AM

• gniibe added a commit: rC5b0d3ff94500: sexp: Add length check DATALEN when parsing SEXP..Thu, Jun 4, 7:20 AM

• gniibe claimed this task.Fri, Jun 5, 2:26 AM

• gniibe triaged this task as Normal priority.

• gniibe changed the task status from Open to Testing.Mon, Jun 8, 2:51 AM

• gniibe shifted this object from the Restricted Space space to the S1 Public space.Mon, Jun 8, 3:23 AM

• gniibe changed the edit policy from "Contributor (Project)" to "All Users".

• gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Jun 8, 3:32 AM

s-expression parser datalen overflowTesting, NormalPublicActions

Description

Revisions and Commits

Event Timeline

s-expression parser datalen overflow
Testing, NormalPublic
Actions