Fix potential buffer overflow in asn1write

Ref: IOTSSL-519

backport of 22c3b7b
This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-21 12:07:47 +02:00
parent 215a14bf29
commit 758f490c90
2 changed files with 7 additions and 3 deletions

View File

@ -9,6 +9,10 @@ Security
* Fix potential heap corruption on Windows when * Fix potential heap corruption on Windows when
x509_crt_parse_path() is passed a path longer than 2GB. Cannot be x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
triggered remotely. Found by Guido Vranken, Interlworks. triggered remotely. Found by Guido Vranken, Interlworks.
* Fix potential buffer overflow in some asn1_write_xxx() functions.
Cannot be triggered remotely unless you create X.509 certificates based
on untrusted input or write keys of untrusted origin. Found by Guido
Vranken, Interlworks.
= mbed TLS 1.3.14 released 2015-10-06 = mbed TLS 1.3.14 released 2015-10-06

View File

@ -88,7 +88,7 @@ int asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
{ {
size_t len = 0; size_t len = 0;
if( *p - start < (int) size ) if( *p < start || (size_t)( *p - start ) < size )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL ); return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size; len = size;
@ -108,7 +108,7 @@ int asn1_write_mpi( unsigned char **p, unsigned char *start, mpi *X )
// //
len = mpi_size( X ); len = mpi_size( X );
if( *p - start < (int) len ) if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL ); return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len; (*p) -= len;
@ -271,7 +271,7 @@ int asn1_write_bitstring( unsigned char **p, unsigned char *start,
// Calculate byte length // Calculate byte length
// //
if( *p - start < (int) size + 1 ) if( *p < start || (size_t)( *p - start ) < size + 1 )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL ); return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size + 1; len = size + 1;