mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 17:05:42 +01:00
Merge fix of IOTSSL-496 - Potential heap overflow
Fix for potential overflow in ssl_write_certificate_request()
This commit is contained in:
commit
475cf0a98a
@ -28,6 +28,10 @@ Security
|
|||||||
* Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
|
* Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
|
||||||
the same mbedtls_ssl_config object and memory allocation fails. Found by
|
the same mbedtls_ssl_config object and memory allocation fails. Found by
|
||||||
Guido Vranken, Intelworks. Cannot be forced remotely.
|
Guido Vranken, Intelworks. Cannot be forced remotely.
|
||||||
|
* Fix potential heap buffer overflow in servers that perform client
|
||||||
|
authentication against a crafted CA cert. Cannot be triggered remotely
|
||||||
|
unless you allow third parties to pick trust CAs for client auth.
|
||||||
|
Found by Guido Vranken, Intelworks.
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
||||||
|
@ -2351,6 +2351,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
|||||||
size_t dn_size, total_dn_size; /* excluding length bytes */
|
size_t dn_size, total_dn_size; /* excluding length bytes */
|
||||||
size_t ct_len, sa_len; /* including length bytes */
|
size_t ct_len, sa_len; /* including length bytes */
|
||||||
unsigned char *buf, *p;
|
unsigned char *buf, *p;
|
||||||
|
const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||||
const mbedtls_x509_crt *crt;
|
const mbedtls_x509_crt *crt;
|
||||||
int authmode;
|
int authmode;
|
||||||
|
|
||||||
@ -2471,10 +2472,14 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
|||||||
total_dn_size = 0;
|
total_dn_size = 0;
|
||||||
while( crt != NULL && crt->version != 0 )
|
while( crt != NULL && crt->version != 0 )
|
||||||
{
|
{
|
||||||
if( p - buf > 4096 )
|
|
||||||
break;
|
|
||||||
|
|
||||||
dn_size = crt->subject_raw.len;
|
dn_size = crt->subject_raw.len;
|
||||||
|
|
||||||
|
if( end < p || (size_t)( end - p ) < 2 + dn_size )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
*p++ = (unsigned char)( dn_size >> 8 );
|
*p++ = (unsigned char)( dn_size >> 8 );
|
||||||
*p++ = (unsigned char)( dn_size );
|
*p++ = (unsigned char)( dn_size );
|
||||||
memcpy( p, crt->subject_raw.p, dn_size );
|
memcpy( p, crt->subject_raw.p, dn_size );
|
||||||
|
Loading…
Reference in New Issue
Block a user