mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 15:05:45 +01:00
Merge remote-tracking branch 'upstream-public/pr/2131' into development
This commit is contained in:
commit
bc1cf5cd36
@ -43,6 +43,9 @@ Bugfix
|
|||||||
* Fix runtime error in `mbedtls_platform_entropy_poll()` when run
|
* Fix runtime error in `mbedtls_platform_entropy_poll()` when run
|
||||||
through qemu user emulation. Reported and fix suggested by randombit
|
through qemu user emulation. Reported and fix suggested by randombit
|
||||||
in #1212. Fixes #1212.
|
in #1212. Fixes #1212.
|
||||||
|
* Fix an unsafe bounds check when restoring an SSL session from a ticket.
|
||||||
|
This could lead to a buffer overflow, but only in case ticket authentication
|
||||||
|
was broken. Reported and fix suggested by Guido Vranken in #659.
|
||||||
|
|
||||||
= mbed TLS 2.14.0 branch released 2018-11-19
|
= mbed TLS 2.14.0 branch released 2018-11-19
|
||||||
|
|
||||||
|
@ -188,9 +188,9 @@ static int ssl_save_session( const mbedtls_ssl_session *session,
|
|||||||
if( left < 3 + cert_len )
|
if( left < 3 + cert_len )
|
||||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
*p++ = (unsigned char)( cert_len >> 16 & 0xFF );
|
*p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
|
||||||
*p++ = (unsigned char)( cert_len >> 8 & 0xFF );
|
*p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
|
||||||
*p++ = (unsigned char)( cert_len & 0xFF );
|
*p++ = (unsigned char)( ( cert_len ) & 0xFF );
|
||||||
|
|
||||||
if( session->peer_cert != NULL )
|
if( session->peer_cert != NULL )
|
||||||
memcpy( p, session->peer_cert->raw.p, cert_len );
|
memcpy( p, session->peer_cert->raw.p, cert_len );
|
||||||
@ -215,14 +215,14 @@ static int ssl_load_session( mbedtls_ssl_session *session,
|
|||||||
size_t cert_len;
|
size_t cert_len;
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
if( p + sizeof( mbedtls_ssl_session ) > end )
|
if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
memcpy( session, p, sizeof( mbedtls_ssl_session ) );
|
memcpy( session, p, sizeof( mbedtls_ssl_session ) );
|
||||||
p += sizeof( mbedtls_ssl_session );
|
p += sizeof( mbedtls_ssl_session );
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
if( p + 3 > end )
|
if( 3 > (size_t)( end - p ) )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
|
cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
|
||||||
@ -236,7 +236,7 @@ static int ssl_load_session( mbedtls_ssl_session *session,
|
|||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if( p + cert_len > end )
|
if( cert_len > (size_t)( end - p ) )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
|
session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
|
||||||
@ -247,7 +247,7 @@ static int ssl_load_session( mbedtls_ssl_session *session,
|
|||||||
mbedtls_x509_crt_init( session->peer_cert );
|
mbedtls_x509_crt_init( session->peer_cert );
|
||||||
|
|
||||||
if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
|
if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
|
||||||
p, cert_len ) ) != 0 )
|
p, cert_len ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_x509_crt_free( session->peer_cert );
|
mbedtls_x509_crt_free( session->peer_cert );
|
||||||
mbedtls_free( session->peer_cert );
|
mbedtls_free( session->peer_cert );
|
||||||
|
Loading…
Reference in New Issue
Block a user