Fix integer overflows in buffer bound checks

Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
This commit is contained in:
Andres Amaya Garcia 2017-01-18 13:56:58 +00:00 committed by Simon Butcher
parent 29b43737ba
commit cfad181250
4 changed files with 11 additions and 4 deletions

View File

@ -9,6 +9,12 @@ Bugfix
* Fix unused variable/function compilation warnings in pem.c and x509_csr.c * Fix unused variable/function compilation warnings in pem.c and x509_csr.c
that are reported when building mbed TLS with a config.h that does not that are reported when building mbed TLS with a config.h that does not
define POLARSSL_PEM_PARSE_C. #562 define POLARSSL_PEM_PARSE_C. #562
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
= mbed TLS 1.3.18 branch 2016-10-17 = mbed TLS 1.3.18 branch 2016-10-17

View File

@ -315,9 +315,9 @@ int cipher_update( cipher_context_t *ctx, const unsigned char *input,
* If there is not enough data for a full block, cache it. * If there is not enough data for a full block, cache it.
*/ */
if( ( ctx->operation == POLARSSL_DECRYPT && if( ( ctx->operation == POLARSSL_DECRYPT &&
ilen + ctx->unprocessed_len <= cipher_get_block_size( ctx ) ) || ilen <= cipher_get_block_size( ctx ) - ctx->unprocessed_len ) ||
( ctx->operation == POLARSSL_ENCRYPT && ( ctx->operation == POLARSSL_ENCRYPT &&
ilen + ctx->unprocessed_len < cipher_get_block_size( ctx ) ) ) ilen < cipher_get_block_size( ctx ) - ctx->unprocessed_len ) )
{ {
memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
ilen ); ilen );

View File

@ -277,7 +277,8 @@ int ctr_drbg_reseed( ctr_drbg_context *ctx,
unsigned char seed[CTR_DRBG_MAX_SEED_INPUT]; unsigned char seed[CTR_DRBG_MAX_SEED_INPUT];
size_t seedlen = 0; size_t seedlen = 0;
if( ctx->entropy_len + len > CTR_DRBG_MAX_SEED_INPUT ) if( ctx->entropy_len > CTR_DRBG_MAX_SEED_INPUT ||
len > CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG ); return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG );
memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT ); memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT );

View File

@ -155,7 +155,7 @@ void md2_update( md2_context *ctx, const unsigned char *input, size_t ilen )
while( ilen > 0 ) while( ilen > 0 )
{ {
if( ctx->left + ilen > 16 ) if( ilen > 16 - ctx->left )
fill = 16 - ctx->left; fill = 16 - ctx->left;
else else
fill = ilen; fill = ilen;