yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 17:55:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential stack overflow

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-12 01:25:31 +01:00
parent b134060f90
commit d681443f69
2 changed files with 30 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -4,10 +4,13 @@ PolarSSL ChangeLog (Sorted per branch, date)
Security Security
* Fix remotely-triggerable uninitialised pointer dereference caused by * Fix remotely-triggerable uninitialised pointer dereference caused by
crafted X.509 certificate (server is not affected if it doesn't ask for a crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
client certificate) (found using Codenomicon Defensics). client certificate) (found using Codenomicon Defensics).
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
(server is not affected if it doesn't ask for a client certificate) (TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Fix potential stack overflow while parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics). (found using Codenomicon Defensics).
Features Features

46
library/x509.c
View File

@ -421,35 +421,39 @@ int x509_get_name( unsigned char **p, const unsigned char *end,
size_t set_len; size_t set_len;
const unsigned char *end_set; const unsigned char *end_set;
/* /* don't use recursion, we'd risk stack overflow if not optimized */
* parse first SET, restricted to 1 element while( 1 )
*/ {
if( ( ret = asn1_get_tag( p, end, &set_len, /*
ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 ) * parse first SET, restricted to 1 element
return( POLARSSL_ERR_X509_INVALID_NAME + ret ); */
if( ( ret = asn1_get_tag( p, end, &set_len,
ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
return( POLARSSL_ERR_X509_INVALID_NAME + ret );
end_set = *p + set_len; end_set = *p + set_len;
if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 ) if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
return( ret ); return( ret );
if( *p != end_set ) if( *p != end_set )
return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
/* /*
* recurse until end of SEQUENCE is reached * continue until end of SEQUENCE is reached
*/ */
if( *p == end ) if( *p == end )
return( 0 ); return( 0 );
cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) ); cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) );
if( cur->next == NULL ) if( cur->next == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED ); return( POLARSSL_ERR_X509_MALLOC_FAILED );
memset( cur->next, 0, sizeof( x509_name ) ); memset( cur->next, 0, sizeof( x509_name ) );
return( x509_get_name( p, end, cur->next ) ); cur = cur->next;
}
} }
/* /*