Fix 1 byte overread in mbedtls_asn1_get_int()

2024-11-22 06:25:41 +01:00 · 2016-09-26 09:52:41 +01:00 · 2016-09-26 09:52:41 +01:00 · 776a6fcd1a
commit 776a6fcd1a
parent cd153278eb
2 changed files with 3 additions and 3 deletions
--- a/4
+++ b/4
@ -31,13 +31,13 @@ Bugfix
     a contribution from Tobias Tangemann. #541
   * Fixed cert_app sample program for debug output and for use when no root
     certificates are provided.
+   * Fix conditional statement that would cause a 1 byte overread in
+     mbedtls_asn1_get_int(). Found and fixed by Guido Vranken.
   * Fixed pthread implementation to avoid unintended double initialisations
     and double frees. (found by Niklas Amnebratt)
   * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
     builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
     by inestlerode. #559.
-   * Fixed default threading implementation to avoid accidental double
-     initialisations and double frees.

 Changes
   * Extended test coverage of special cases, and added new timing test suite.
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@ -153,7 +153,7 @@ int mbedtls_asn1_get_int( unsigned char **p,
    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
        return( ret );

-    if( len > sizeof( int ) || ( **p & 0x80 ) != 0 )
+    if( len == 0 || len > sizeof( int ) || ( **p & 0x80 ) != 0 )
        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );

    *val = 0;