From 7b4b2ac378c6a93512fa22f1820a2a0201686e1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 28 Sep 2015 18:34:48 +0200 Subject: [PATCH] Fix stack buffer overflow in pkcs12 --- ChangeLog | 8 ++++++++ library/pkcs12.c | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 44f440819..735e44300 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ mbed TLS ChangeLog (Sorted per branch, date) + += mbed TLS 1.3.14 reladsed 2015-10-?? + +Security + * Fix stack buffer overflow in pkcs12 decryption (used by + mbedtls_pk_parse_key(file)() when the password is > 129 bytes. + Found by Guido Vranken. Not triggerable remotely. + = mbed TLS 1.3.13 reladsed 2015-09-17 Security diff --git a/library/pkcs12.c b/library/pkcs12.c index f84fd52cd..dff01a778 100644 --- a/library/pkcs12.c +++ b/library/pkcs12.c @@ -87,6 +87,8 @@ static int pkcs12_parse_pbe_params( asn1_buf *params, return( 0 ); } +#define PKCS12_MAX_PWDLEN 128 + static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type, const unsigned char *pwd, size_t pwdlen, unsigned char *key, size_t keylen, @@ -95,7 +97,10 @@ static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type, int ret, iterations; asn1_buf salt; size_t i; - unsigned char unipwd[258]; + unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2]; + + if( pwdlen > PKCS12_MAX_PWDLEN ) + return( POLARSSL_ERR_PKCS12_BAD_INPUT_DATA ); memset( &salt, 0, sizeof(asn1_buf) ); memset( &unipwd, 0, sizeof(unipwd) ); @@ -126,6 +131,8 @@ static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type, return( 0 ); } +#undef PKCS12_MAX_PWDLEN + int pkcs12_pbe_sha1_rc4_128( asn1_buf *pbe_params, int mode, const unsigned char *pwd, size_t pwdlen, const unsigned char *data, size_t len,