Fix incrementing pointer instead of value

This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
This commit is contained in:
Manuel Pégourié-Gonnard 2020-01-24 12:11:56 +01:00 committed by Manuel Pégourié-Gonnard
parent 39e2c0eeb6
commit 42b8194b53
2 changed files with 12 additions and 2 deletions

View File

@ -1,5 +1,15 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.16.5 branch released xxxx-xx-xx
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Reported by Peter and Auke (found using static analysis).
= mbed TLS 2.16.4 branch released 2020-01-15 = mbed TLS 2.16.4 branch released 2020-01-15
Security Security

View File

@ -297,7 +297,7 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
*p_sign_tries = 0; *p_sign_tries = 0;
do do
{ {
if( *p_sign_tries++ > 10 ) if( (*p_sign_tries)++ > 10 )
{ {
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup; goto cleanup;
@ -310,7 +310,7 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
*p_key_tries = 0; *p_key_tries = 0;
do do
{ {
if( *p_key_tries++ > 10 ) if( (*p_key_tries)++ > 10 )
{ {
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup; goto cleanup;