mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 12:15:38 +01:00
Fix len miscalculation in buffer-based allocator
This commit is contained in:
parent
547ff6618f
commit
5dd28ea432
@ -18,6 +18,9 @@ Security
|
||||
Bugfix
|
||||
* Stack buffer overflow if ctr_drbg_update() is called with too large
|
||||
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
|
||||
* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
|
||||
if memory_buffer_alloc_init() was called with buf not aligned and len not
|
||||
a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE.
|
||||
|
||||
= PolarSSL 1.3.9 released 2014-10-20
|
||||
Security
|
||||
|
@ -563,9 +563,11 @@ int memory_buffer_alloc_init( unsigned char *buf, size_t len )
|
||||
|
||||
if( (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE )
|
||||
{
|
||||
/* Adjust len first since buf is used in the computation */
|
||||
len -= POLARSSL_MEMORY_ALIGN_MULTIPLE
|
||||
- (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
|
||||
buf += POLARSSL_MEMORY_ALIGN_MULTIPLE
|
||||
- (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
|
||||
len -= (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
|
||||
}
|
||||
|
||||
heap.buf = buf;
|
||||
@ -623,9 +625,9 @@ static int check_all_free( )
|
||||
|
||||
int memory_buffer_alloc_self_test( int verbose )
|
||||
{
|
||||
int ret = 0;
|
||||
unsigned char buf[1024];
|
||||
unsigned char *p, *q, *r;
|
||||
unsigned char *p, *q, *r, *end;
|
||||
int ret = 0;
|
||||
|
||||
if( verbose != 0 )
|
||||
polarssl_printf( " MBA test #1 (basic alloc-free cycle): " );
|
||||
@ -646,6 +648,9 @@ int memory_buffer_alloc_self_test( int verbose )
|
||||
|
||||
TEST_ASSERT( check_all_free( ) == 0 );
|
||||
|
||||
/* Memorize end to compare with the next test */
|
||||
end = heap.buf + heap.len;
|
||||
|
||||
memory_buffer_alloc_free( );
|
||||
|
||||
if( verbose != 0 )
|
||||
@ -656,6 +661,8 @@ int memory_buffer_alloc_self_test( int verbose )
|
||||
|
||||
memory_buffer_alloc_init( buf + 1, sizeof( buf ) - 1 );
|
||||
|
||||
TEST_ASSERT( heap.buf + heap.len == end );
|
||||
|
||||
p = polarssl_malloc( 1 );
|
||||
q = polarssl_malloc( 128 );
|
||||
r = polarssl_malloc( 16 );
|
||||
|
Loading…
Reference in New Issue
Block a user