mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 19:04:19 +01:00
Better checking for reading over buffer boundaries
(Partial cherry picked from commit 535e97dbab
)
This commit is contained in:
parent
087e0379c5
commit
7261cbaa91
@ -7,6 +7,7 @@ Bugfix
|
|||||||
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
||||||
with carry rollover
|
with carry rollover
|
||||||
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
|
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
|
||||||
|
* Prevent reading over buffer boundaries on X509 certificate parsing
|
||||||
|
|
||||||
Security
|
Security
|
||||||
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
|
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
|
||||||
|
@ -1241,7 +1241,8 @@ int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen )
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
|
if( crt->sig_oid1.len != crt->sig_oid2.len ||
|
||||||
|
memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
|
||||||
{
|
{
|
||||||
x509_free( crt );
|
x509_free( crt );
|
||||||
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
||||||
@ -1662,7 +1663,8 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen )
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
|
if( crl->sig_oid1.len != crl->sig_oid2.len ||
|
||||||
|
memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
|
||||||
{
|
{
|
||||||
x509_crl_free( crl );
|
x509_crl_free( crl );
|
||||||
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
||||||
@ -2348,7 +2350,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
|
|||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
}
|
}
|
||||||
|
|
||||||
if( memcmp( name->oid.p, OID_X520, 2 ) == 0 )
|
if( name->oid.len == 3 &&
|
||||||
|
memcmp( name->oid.p, OID_X520, 2 ) == 0 )
|
||||||
{
|
{
|
||||||
switch( name->oid.p[2] )
|
switch( name->oid.p[2] )
|
||||||
{
|
{
|
||||||
@ -2377,7 +2380,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
|
|||||||
}
|
}
|
||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
}
|
}
|
||||||
else if( memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
|
else if( name->oid.len == 9 &&
|
||||||
|
memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
|
||||||
{
|
{
|
||||||
switch( name->oid.p[8] )
|
switch( name->oid.p[8] )
|
||||||
{
|
{
|
||||||
@ -2898,9 +2902,10 @@ int x509parse_verify( x509_cert *crt,
|
|||||||
|
|
||||||
while( name != NULL )
|
while( name != NULL )
|
||||||
{
|
{
|
||||||
if( memcmp( name->oid.p, OID_CN, 3 ) == 0 &&
|
if( name->oid.len == 3 &&
|
||||||
memcmp( name->val.p, cn, cn_len ) == 0 &&
|
memcmp( name->oid.p, OID_CN, 3 ) == 0 &&
|
||||||
name->val.len == cn_len )
|
name->val.len == cn_len &&
|
||||||
|
memcmp( name->val.p, cn, cn_len ) == 0 )
|
||||||
break;
|
break;
|
||||||
|
|
||||||
name = name->next;
|
name = name->next;
|
||||||
|
Loading…
Reference in New Issue
Block a user