Potential buffer overwrite in pem_write_buffer() fixed

Length indication when given a too small buffer was off.
Added regression test in test_suite_pem to detect this.

ChangeLog

@@ -42,6 +42,8 @@ Bugfix
    * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
    * Calling pk_debug() on an RSA-alt key would segfault.
    * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
+   * Potential buffer overwrite in pem_write_buffer() because of low length
+     indication (found by Thijs Alkemade)
 
 = PolarSSL 1.3.5 released on 2014-03-26
 Features

library/pem.c

@@ -382,10 +382,11 @@ int pem_write_buffer( const char *header, const char *footer,
 {
     int ret;
     unsigned char *encode_buf, *c, *p = buf;
-    size_t len = 0, use_len = 0;
-    size_t add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1;
+    size_t len = 0, use_len = 0, add_len = 0;
 
     base64_encode( NULL, &use_len, der_data, der_len );
+    add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1;
+
     if( use_len + add_len > buf_len )
     {
         *olen = use_len + add_len;

tests/CMakeLists.txt

@@ -75,6 +75,7 @@ add_test_suite(md)
 add_test_suite(mdx)
 add_test_suite(mpi)
 add_test_suite(pbkdf2)
+add_test_suite(pem)
 add_test_suite(pkcs1_v21)
 add_test_suite(pkcs5)
 add_test_suite(pk)

tests/Makefile

@@ -58,6 +58,7 @@ APPS =	test_suite_aes.ecb		test_suite_aes.cbc		\
 		test_suite_hmac_drbg.pr							\
 		test_suite_md			test_suite_mdx			\
 		test_suite_mpi			test_suite_pbkdf2		\
+		test_suite_pem									\
 		test_suite_pkcs1_v21	test_suite_pkcs5		\
 		test_suite_pkparse		test_suite_pkwrite		\
 		test_suite_pk									\
@@ -321,6 +322,10 @@ test_suite_pbkdf2: test_suite_pbkdf2.c $(DEP)
 	echo   "  CC    	$@.c"
 	$(CC) $(CFLAGS) $(OFLAGS) $@.c	$(LDFLAGS) -o $@
 
+test_suite_pem: test_suite_pem.c $(DEP)
+	echo   "  CC    	$@.c"
+	$(CC) $(CFLAGS) $(OFLAGS) $@.c	$(LDFLAGS) -o $@
+
 test_suite_pkcs1_v21: test_suite_pkcs1_v21.c $(DEP)
 	echo   "  CC    	$@.c"
 	$(CC) $(CFLAGS) $(OFLAGS) $@.c	$(LDFLAGS) -o $@

tests/suites/main_test.function

@@ -1,6 +1,14 @@
 #include <stdio.h>
 #include <string.h>
 
+#if defined(POLARSSL_PLATFORM_C)
+#include "polarssl/platform.h"
+#else
+#define polarssl_printf     printf
+#define polarssl_malloc     malloc
+#define polarssl_free       free
+#endif
+
 static int test_errors = 0;
 
 SUITE_PRE_DEP

tests/suites/test_suite_pem.data

@@ -0,0 +1,17 @@
+Standard PEM write
+pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8=\n-----END TEST-----\n"
+
+PEM write (zero data)
+pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"":"-----START TEST-----\n-----END TEST-----\n"
+
+PEM write (one byte)
+pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"00":"-----START TEST-----\nAA==\n-----END TEST-----\n"
+
+PEM write (more than line size)
+pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8=\n-----END TEST-----\n"
+
+PEM write (exactly two lines)
+pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\n-----END TEST-----\n"
+
+PEM write (exactly two lines + 1)
+pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n"

tests/suites/test_suite_pem.function

@@ -0,0 +1,38 @@
+/* BEGIN_HEADER */
+#include <polarssl/base64.h>
+#include <polarssl/pem.h>
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:POLARSSL_PEM_WRITE_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void pem_write_buffer( char *start, char *end, char *buf_str, char *result_str )
+{
+    unsigned char buf[5000];
+    unsigned char *check_buf;
+    int ret;
+    size_t buf_len, olen = 0, olen2 = 0;
+
+    memset( buf, 0, sizeof( buf ) );
+
+    buf_len = unhexify( buf, buf_str );
+
+    ret = pem_write_buffer( start, end, buf, buf_len, NULL, 0, &olen );
+    TEST_ASSERT( ret == POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL );
+
+    check_buf = (unsigned char *) polarssl_malloc( olen );
+    TEST_ASSERT( check_buf != NULL );
+
+    memset( check_buf, 0, olen );
+    ret = pem_write_buffer( start, end, buf, buf_len, check_buf, olen, &olen2 );
+
+    TEST_ASSERT( olen2 <= olen );
+    TEST_ASSERT( olen > strlen( (char*) result_str ) );
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( strncmp( (char *) check_buf, (char *) result_str, olen ) == 0 );
+    polarssl_free( check_buf );
+}
+/* END_CASE */