> TLS-01-004 - Data Truncation in DER Encoding Implementation (low). This finding rightly points out a function in rustls that produces incorrect output when applied to an X.501 Name that is larger than 64KB. While that’s an exceedingly unlikely case, and the bug does not cause unsafe operation (but perhaps connection failure), the function has been corrected to produce valid output for all inputs.<p>The ISO 7816 smartcard standard uses this same ASN.1-based scheme for command and reply encoding. I found a memmove overflow and a separate off-by-one bug in Yubico's PC/SC library, and an off-by-one bug in the Yubikey 4 firmware, all related to their handling of this encoding.<p>It's possible that the Yubikey 4 bug could have been leveraged into an information leak, a buffer overflow, or some other exploit of the firmware.[1] The firmware was calculating a command reply length based on what the proper, compact length of the object should be, not the <i>actual</i> length of the stored object with malformed internal encoding, leading to corrupt reply chains. But I never explored it. I'm not an exploit developer, and didn't have time to go down that rabbit hole. I only discovered the bugs tracking down a bug in my own PC/SC library. It turned out I was generating an overlong encoding ({0x82 0x00 0xff} instead of {0x81 0xff}) for an object, tickling the Yubikey 4 issue. Yubico quickly fixed their library, but the engineer resolving the ticket downplayed the firmware issue, which seemed far more concerning as it suggested bug-prone buffer management techniques in the firmware.[2] (Indeed, it suggested that the firmware reused the buggy library code.) I haven't gone back to see what happened with the firmware since then.<p>Anyhow, paying attention to small encoding and decoding issues like these are important--the details always matter. "This couldn't possibly lead to an exploit" are famous last words.<p>[1] Hopefully not a leak of the key itself as I presume it was inaccessible to the firmware, but who knows--it's a black box.<p>[2] IIRC, their argument was garbage in, garbage out (GIGO), which is a dangerous misapplication of that principle. A malformed object should never result in malformed, corrupt responses by other layers of the protocol stack. In fact, the GIGO principle usually implies the opposite--that the behavior of other layers of the stack is invariant to bad data, not conditioned by it.<p>EDIT: Looking at my Git logs it seems my code was never buggy. My library couldn't read back some certificates generated by another, third, project and written to the card using the Yubico SDK. That third project was generating the over long encoding, and in the process of tracking down the root of the issue I stumbled upon the Yubico bugs. IIRC, that third project was never reading back the certificate as they had a very convoluted scheme for 2FA and client-side SSH X.509 certificates that relied heavily on the bespoke behavior of their client-side Go daemon.