mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 17:34:22 +01:00
Fix potential buffer overflow in asn1write
Ref: IOTSSL-519
backport of 22c3b7b
This commit is contained in:
parent
215a14bf29
commit
758f490c90
@ -9,6 +9,10 @@ Security
|
|||||||
* Fix potential heap corruption on Windows when
|
* Fix potential heap corruption on Windows when
|
||||||
x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
|
x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
|
||||||
triggered remotely. Found by Guido Vranken, Interlworks.
|
triggered remotely. Found by Guido Vranken, Interlworks.
|
||||||
|
* Fix potential buffer overflow in some asn1_write_xxx() functions.
|
||||||
|
Cannot be triggered remotely unless you create X.509 certificates based
|
||||||
|
on untrusted input or write keys of untrusted origin. Found by Guido
|
||||||
|
Vranken, Interlworks.
|
||||||
|
|
||||||
= mbed TLS 1.3.14 released 2015-10-06
|
= mbed TLS 1.3.14 released 2015-10-06
|
||||||
|
|
||||||
|
@ -88,7 +88,7 @@ int asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
|
|||||||
{
|
{
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
|
|
||||||
if( *p - start < (int) size )
|
if( *p < start || (size_t)( *p - start ) < size )
|
||||||
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
len = size;
|
len = size;
|
||||||
@ -108,7 +108,7 @@ int asn1_write_mpi( unsigned char **p, unsigned char *start, mpi *X )
|
|||||||
//
|
//
|
||||||
len = mpi_size( X );
|
len = mpi_size( X );
|
||||||
|
|
||||||
if( *p - start < (int) len )
|
if( *p < start || (size_t)( *p - start ) < len )
|
||||||
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
(*p) -= len;
|
(*p) -= len;
|
||||||
@ -271,7 +271,7 @@ int asn1_write_bitstring( unsigned char **p, unsigned char *start,
|
|||||||
|
|
||||||
// Calculate byte length
|
// Calculate byte length
|
||||||
//
|
//
|
||||||
if( *p - start < (int) size + 1 )
|
if( *p < start || (size_t)( *p - start ) < size + 1 )
|
||||||
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
len = size + 1;
|
len = size + 1;
|
||||||
|
Loading…
Reference in New Issue
Block a user