From a45aa1399bcbcffadd600369c1f8d9016d7886ba Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Mon, 5 Oct 2015 00:26:36 +0100 Subject: [PATCH] Merge of IOTSSL-476 - Random malloc in pem_read() --- ChangeLog | 4 ++++ library/base64.c | 3 +++ library/pem.c | 3 +++ 3 files changed, 10 insertions(+) diff --git a/ChangeLog b/ChangeLog index 63cedaa1c..2aa7a2182 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ Security but might be in other uses. On 32 bit machines, requires reading a string of close to or larger than 1GB to exploit; on 64 bit machines, would require reading a string of close to or larger than 2^62 bytes. + * Fix potential random memory allocation in mbedtls_pem_read_buffer() + on crafted PEM input data. Found an fix provided by Guid Vranken. + Not triggerable remotely in TLS. Triggerable remotely if you accept PEM + data from an untrusted source. Changes * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure diff --git a/library/base64.c b/library/base64.c index 16c254da9..e468e2cbc 100644 --- a/library/base64.c +++ b/library/base64.c @@ -184,7 +184,10 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen, } if( n == 0 ) + { + *olen = 0; return( 0 ); + } n = ( ( n * 6 ) + 7 ) >> 3; n -= j; diff --git a/library/pem.c b/library/pem.c index 541e870c3..1ee3966e1 100644 --- a/library/pem.c +++ b/library/pem.c @@ -316,6 +316,9 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ } + if( s1 == s2 ) + return( MBEDTLS_ERR_PEM_INVALID_DATA ); + ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 ); if( ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER )