Fix potential buffer overflow in asn1write

2024-11-22 12:35:40 +01:00 · 2015-10-21 12:07:47 +02:00 · 2015-10-21 12:07:47 +02:00 · 22c3b7b9da
commit 22c3b7b9da
parent cdea97c1c3
2 changed files with 11 additions and 3 deletions
--- a/8
+++ b/8
@ -1,5 +1,13 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS 2.2.R0released 2015-10-xx
+
+Security
+   * Fix potential buffer overflow in some asn1_write_xxx() functions.
+     Cannot be triggered remotely unless you create X.509 certificates based
+     on untrusted input or write keys of untrusted origin. Found by Guido
+     Vranken, Interlworks.
+
 = mbed TLS 2.1.2 released 2015-10-06

 Security
--- a/library/asn1write.c
+++ b/library/asn1write.c
@ -87,7 +87,7 @@ int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
 {
    size_t len = 0;

-    if( *p - start < (int) size )
+    if( *p < start || (size_t)( *p - start ) < size )
        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );

    len = size;
@ -107,7 +107,7 @@ int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedt
    //
    len = mbedtls_mpi_size( X );

-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );

    (*p) -= len;
@ -270,7 +270,7 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,

    // Calculate byte length
    //
-    if( *p - start < (int) size + 1 )
+    if( *p < start || (size_t)( *p - start ) < size + 1 )
        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );

    len = size + 1;