yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-26 02:05:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge fix for IOTSSL-474 PKCS12 Overflow

Browse Source 
Fix stack buffer overflow in PKCS12
This commit is contained in:
Simon Butcher 2015-10-04 22:47:59 +01:00
commit d5ba4672b2
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -4,10 +4,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
Security Security
* Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
overflow of the hostname or session ticket. (Found by Guido Vranken). overflow of the hostname or session ticket. Found by Guido Vranken.
* Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
once in the same handhake and mbedtls_ssl_conf_psk() was used. once in the same handhake and mbedtls_ssl_conf_psk() was used.
Found and patch provided by Guido Vranken. Cannot be forced remotely. Found and patch provided by Guido Vranken. Cannot be forced remotely.
* Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
Found by Guido Vranken. Not triggerable remotely.
Changes Changes
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure

9
library/pkcs12.c
View File

@ -86,6 +86,8 @@ static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params,
return( 0 ); return( 0 );
} }
#define PKCS12_MAX_PWDLEN 128
static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type, static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
const unsigned char *pwd, size_t pwdlen, const unsigned char *pwd, size_t pwdlen,
unsigned char *key, size_t keylen, unsigned char *key, size_t keylen,
@ -94,7 +96,10 @@ static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_ty
int ret, iterations; int ret, iterations;
mbedtls_asn1_buf salt; mbedtls_asn1_buf salt;
size_t i; size_t i;
unsigned char unipwd[258]; unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
if( pwdlen > PKCS12_MAX_PWDLEN )
return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
memset( &salt, 0, sizeof(mbedtls_asn1_buf) ); memset( &salt, 0, sizeof(mbedtls_asn1_buf) );
memset( &unipwd, 0, sizeof(unipwd) ); memset( &unipwd, 0, sizeof(unipwd) );
@ -125,6 +130,8 @@ static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_ty
return( 0 ); return( 0 );
} }
#undef PKCS12_MAX_PWDLEN
int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode, int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen, const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t len, const unsigned char *data, size_t len,