From 261faed725e29bd34abbf1f95df5fab43791f40c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Oct 2015 10:16:29 +0200 Subject: [PATCH] Fix potential heap corruption on Windows If len is large enough, when cast to an int it will be negative and then the test if( len > MAX_PATH - 3 ) will not behave as expected. --- ChangeLog | 7 +++++++ library/x509_crt.c | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aa96b1848..9204fd087 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.2.0 released 2015-10-xx + +Security + * Fix potential heap corruption on Windows when + mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be + triggered remotely. Found by Guido Vranken, Interlworks. + = mbed TLS 2.1.2 released 2015-10-06 Security diff --git a/library/x509_crt.c b/library/x509_crt.c index f6879ddcf..5dc656884 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1097,7 +1097,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ) WCHAR szDir[MAX_PATH]; char filename[MAX_PATH]; char *p; - int len = (int) strlen( path ); + size_t len = strlen( path ); WIN32_FIND_DATAW file_data; HANDLE hFind; @@ -1131,7 +1131,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ) w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, lstrlenW( file_data.cFileName ), - p, len - 1, + p, (int) len - 1, NULL, NULL ); if( w_ret == 0 ) return( MBEDTLS_ERR_X509_FILE_IO_ERROR );