Fix potential buffer overflow in asn1write

This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-21 12:07:47 +02:00
parent cdea97c1c3
commit 22c3b7b9da
2 changed files with 11 additions and 3 deletions

View File

@ -1,5 +1,13 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.2.R0released 2015-10-xx
Security
* Fix potential buffer overflow in some asn1_write_xxx() functions.
Cannot be triggered remotely unless you create X.509 certificates based
on untrusted input or write keys of untrusted origin. Found by Guido
Vranken, Interlworks.
= mbed TLS 2.1.2 released 2015-10-06 = mbed TLS 2.1.2 released 2015-10-06
Security Security

View File

@ -87,7 +87,7 @@ int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
{ {
size_t len = 0; size_t len = 0;
if( *p - start < (int) size ) if( *p < start || (size_t)( *p - start ) < size )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size; len = size;
@ -107,7 +107,7 @@ int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedt
// //
len = mbedtls_mpi_size( X ); len = mbedtls_mpi_size( X );
if( *p - start < (int) len ) if( *p < start || (size_t)( *p - start ) < len )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len; (*p) -= len;
@ -270,7 +270,7 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
// Calculate byte length // Calculate byte length
// //
if( *p - start < (int) size + 1 ) if( *p < start || (size_t)( *p - start ) < size + 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size + 1; len = size + 1;