Better checking for reading over buffer boundaries

(Partial cherry picked from commit 535e97dbab)
2024-11-26 03:05:44 +01:00 · 2013-01-16 12:39:54 +01:00 · 2013-01-16 12:39:54 +01:00 · 7261cbaa91
commit 7261cbaa91
parent 087e0379c5
2 changed files with 13 additions and 7 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@ Bugfix
   * mpi_add_abs() now correctly handles adding short numbers to long numbers
     with carry rollover
   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
+   * Prevent reading over buffer boundaries on X509 certificate parsing

 Security
   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -1241,7 +1241,8 @@ int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen )
        return( ret );
    }

-    if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
+    if( crt->sig_oid1.len != crt->sig_oid2.len ||
+        memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
    {
        x509_free( crt );
        return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@ -1662,7 +1663,8 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen )
        return( ret );
    }

-    if( memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
+    if( crl->sig_oid1.len != crl->sig_oid2.len ||
+        memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
    {
        x509_crl_free( crl );
        return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@ -2348,7 +2350,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
            SAFE_SNPRINTF();
        }

-        if( memcmp( name->oid.p, OID_X520, 2 ) == 0 )
+        if( name->oid.len == 3 &&
+            memcmp( name->oid.p, OID_X520, 2 ) == 0 )
        {
            switch( name->oid.p[2] )
            {
@ -2377,7 +2380,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
            }
        SAFE_SNPRINTF();
        }
-        else if( memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
+        else if( name->oid.len == 9 &&
+                 memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
        {
            switch( name->oid.p[8] )
            {
@ -2898,9 +2902,10 @@ int x509parse_verify( x509_cert *crt,

        while( name != NULL )
        {
-            if( memcmp( name->oid.p, OID_CN,  3 ) == 0 &&
-                memcmp( name->val.p, cn, cn_len ) == 0 &&
-                name->val.len == cn_len )
+            if( name->oid.len == 3 &&
+                memcmp( name->oid.p, OID_CN,  3 ) == 0 &&
+                name->val.len == cn_len &&
+                memcmp( name->val.p, cn, cn_len ) == 0 )
                break;

            name = name->next;