Fix other occurrences of same bounds check issue

Security impact is the same: not triggerrable remotely except in very specific
use cases
This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-21 12:23:09 +02:00
parent 0d66bb959f
commit 5784dd5ac8
2 changed files with 5 additions and 2 deletions

View File

@ -96,7 +96,7 @@ static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
return( ret ); return( ret );
} }
if( *p - start < (int) len ) if( *p < start || (size_t)( *p - start ) < len )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*p -= len; *p -= len;

View File

@ -259,13 +259,16 @@ int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
int ret; int ret;
size_t len = 0; size_t len = 0;
if( *p - start < (int) size + 1 ) if( *p < start || (size_t)( *p - start ) < size )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size; len = size;
(*p) -= len; (*p) -= len;
memcpy( *p, sig, len ); memcpy( *p, sig, len );
if( *p - start < 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*--(*p) = 0; *--(*p) = 0;
len += 1; len += 1;