1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From 41e6b7be293284ef8b1f102587f0da6eae1b753f Mon Sep 17 00:00:00 2001
From: 0xmrma <moabdelaal442004@gmail.com>
Date: Sun, 1 Mar 2026 09:18:21 +0200
Subject: [PATCH] der: reject truncated lengths in octet/implicit/constructed
CVE: CVE-2026-33936
Upstream-Status: Backport [https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/ecdsa/der.py | 4 ++++
src/ecdsa/test_der.py | 13 +++++++++++++
2 files changed, 17 insertions(+)
diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py
index b291485..5bbfaa3 100644
--- a/src/ecdsa/der.py
+++ b/src/ecdsa/der.py
@@ -137,6 +137,8 @@ def remove_constructed(string):
)
tag = s0 & 0x1F
length, llen = read_length(string[1:])
+ if length > len(string) - 1 - llen:
+ raise UnexpectedDER("Length longer than the provided buffer")
body = string[1 + llen : 1 + llen + length]
rest = string[1 + llen + length :]
return tag, body, rest
@@ -160,6 +162,8 @@ def remove_octet_string(string):
n = str_idx_as_int(string, 0)
raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n)
length, llen = read_length(string[1:])
+ if length > len(string) - 1 - llen:
+ raise UnexpectedDER("Length longer than the provided buffer")
body = string[1 + llen : 1 + llen + length]
rest = string[1 + llen + length :]
return body, rest
diff --git a/src/ecdsa/test_der.py b/src/ecdsa/test_der.py
index 0c2dc4d..28d231e 100644
--- a/src/ecdsa/test_der.py
+++ b/src/ecdsa/test_der.py
@@ -476,3 +476,16 @@ def test_oids(ids):
decoded_oid, rest = remove_object(encoded_oid)
assert rest == b""
assert decoded_oid == ids
+
+def test_remove_octet_string_rejects_truncated_length():
+ # OCTET STRING: declared length 4096, but only 3 bytes present
+ bad = b"\x04\x82\x10\x00" + b"ABC"
+ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
+ remove_octet_string(bad)
+
+def test_remove_constructed_rejects_truncated_length():
+ # Constructed tag: 0xA0 (context-specific constructed, tag=0)
+ # declared length 4096, but only 3 bytes present
+ bad = b"\xA0\x82\x10\x00" + b"ABC"
+ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
+ remove_constructed(bad)
|
