Merge pull request #5802 from wernerlewis/asn1_memcpy_null_2.28

[Backport 2.28] Fix memcpy() UB in mbedtls_asn1_named_data()

ChangeLog.d/fix-undefined-memcpy-mbedtls_asn1_named_data.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
+     not NULL and val_len is zero.

library/asn1write.c

@@ -472,7 +472,7 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
         cur->val.len = val_len;
     }
 
-    if( val != NULL )
+    if( val != NULL && val_len != 0 )
         memcpy( cur->val.p, val, val_len );
 
     return( cur );

tests/suites/test_suite_asn1write.data

@@ -374,10 +374,13 @@ Store named data: found, larger data
 store_named_data_val_found:4:9
 
 Store named data: new, val_len=0
-store_named_data_val_new:0
+store_named_data_val_new:0:1
+
+Stored named data: new, val_len=0, val=NULL
+store_named_data_val_new:0:0
 
 Store named data: new, val_len=4
-store_named_data_val_new:4
+store_named_data_val_new:4:1
 
 Store named data: new, val_len=4, val=NULL
-store_named_data_val_new:-4
+store_named_data_val_new:4:0

tests/suites/test_suite_asn1write.function

@@ -431,7 +431,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void store_named_data_val_new( int new_len )
+void store_named_data_val_new( int new_len, int set_new_val )
 {
     mbedtls_asn1_named_data *head = NULL;
     mbedtls_asn1_named_data *found = NULL;
@@ -439,10 +439,8 @@ void store_named_data_val_new( int new_len )
     size_t oid_len = strlen( (const char *) oid );
     const unsigned char *new_val = (unsigned char *) "new value";
 
-    if( new_len <= 0 )
+    if( set_new_val == 0 )
         new_val = NULL;
-    if( new_len < 0 )
-        new_len = - new_len;
 
     found = mbedtls_asn1_store_named_data( &head,
                                            (const char *) oid, oid_len,