Fix stack buffer overflow in pkcs12

ChangeLog

@@ -1,5 +1,13 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+
+= mbed TLS 1.3.14 reladsed 2015-10-??
+
+Security
+   * Fix stack buffer overflow in pkcs12 decryption (used by
+     mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
+     Found by Guido Vranken. Not triggerable remotely.
+
 = mbed TLS 1.3.13 reladsed 2015-09-17
 
 Security

library/pkcs12.c

@@ -87,6 +87,8 @@ static int pkcs12_parse_pbe_params( asn1_buf *params,
     return( 0 );
 }
 
+#define PKCS12_MAX_PWDLEN 128
+
 static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
                                      const unsigned char *pwd,  size_t pwdlen,
                                      unsigned char *key, size_t keylen,
@@ -95,7 +97,10 @@ static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
     int ret, iterations;
     asn1_buf salt;
     size_t i;
-    unsigned char unipwd[258];
+    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+    if( pwdlen > PKCS12_MAX_PWDLEN )
+        return( POLARSSL_ERR_PKCS12_BAD_INPUT_DATA );
 
     memset( &salt, 0, sizeof(asn1_buf) );
     memset( &unipwd, 0, sizeof(unipwd) );
@@ -126,6 +131,8 @@ static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
     return( 0 );
 }
 
+#undef PKCS12_MAX_PWDLEN
+
 int pkcs12_pbe_sha1_rc4_128( asn1_buf *pbe_params, int mode,
                              const unsigned char *pwd,  size_t pwdlen,
                              const unsigned char *data, size_t len,