mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 06:04:17 +01:00
Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions: * mbedtls_md2_update() to be bypassed and cause * mbedtls_cipher_update() * mbedtls_ctr_drbg_reseed() This overflows would mainly be exploitable in 32-bit systems and could cause buffer bound checks to be bypassed.
This commit is contained in:
parent
016a0d3b6f
commit
ba2fda645a
10
ChangeLog
10
ChangeLog
@ -1,5 +1,15 @@
|
||||
mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= mbed TLS 2.x.x branch released xxxx-xx-xx
|
||||
|
||||
Bugfix
|
||||
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
|
||||
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
||||
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
|
||||
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
||||
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
|
||||
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
||||
|
||||
= mbed TLS 2.1.6 branch released 2016-10-17
|
||||
|
||||
Security
|
||||
|
@ -300,9 +300,9 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
|
||||
* If there is not enough data for a full block, cache it.
|
||||
*/
|
||||
if( ( ctx->operation == MBEDTLS_DECRYPT &&
|
||||
ilen + ctx->unprocessed_len <= mbedtls_cipher_get_block_size( ctx ) ) ||
|
||||
ilen <= mbedtls_cipher_get_block_size( ctx ) - ctx->unprocessed_len ) ||
|
||||
( ctx->operation == MBEDTLS_ENCRYPT &&
|
||||
ilen + ctx->unprocessed_len < mbedtls_cipher_get_block_size( ctx ) ) )
|
||||
ilen < mbedtls_cipher_get_block_size( ctx ) - ctx->unprocessed_len ) )
|
||||
{
|
||||
memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
|
||||
ilen );
|
||||
|
@ -290,7 +290,8 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
|
||||
unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
|
||||
size_t seedlen = 0;
|
||||
|
||||
if( ctx->entropy_len + len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
|
||||
if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
|
||||
len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
|
||||
return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
|
||||
|
||||
memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
|
||||
|
@ -158,7 +158,7 @@ void mbedtls_md2_update( mbedtls_md2_context *ctx, const unsigned char *input, s
|
||||
|
||||
while( ilen > 0 )
|
||||
{
|
||||
if( ctx->left + ilen > 16 )
|
||||
if( ilen > 16 - ctx->left )
|
||||
fill = 16 - ctx->left;
|
||||
else
|
||||
fill = ilen;
|
||||
|
Loading…
Reference in New Issue
Block a user