Headline
CVE-2020-23911: A Segmentation fault in asn1fix_enum.c:82:5 · Issue #394 · vlm/asn1c
An issue was discovered in asn1c through v0.9.28. A NULL pointer dereference exists in the function _default_error_logger() located in asn1fix.c. It allows an attacker to cause Denial of Service.
The crash is caused by this debug/error message:
https://github.com/vlm/asn1c/blob/v0.9.28/libasn1fix/asn1fix_enum.c#L82
FATAL("HERE HERE HERE", 1);
It looks like some temporary message added while debugging some issue, but that assumption is hard to confirm as it was included in the initial import to git.
The FATAL macro effectively expands to something like this:
printf("HERE HERE HERE" " in %s", 1, source_file_name);
leading to %s format applied to argument 1 (i.e. pointer 0x1) instead of the file name string.
The most trivial fix is to remove extraneous , 1 argument. A better fix would be to remove the FATAL call completely if it’s not needed, or user proper message if it is needed.