Fix memory corruption in rsa sign/verify programs

We have no guarantee there is enough room in the argv strings.

Fixes #210
This commit is contained in:
Manuel Pégourié-Gonnard 2015-08-27 21:39:40 +02:00
parent 8b2641d36f
commit d74c697035
3 changed files with 13 additions and 10 deletions

View File

@ -35,6 +35,7 @@ Bugfix
Aleksandrs Saveljevs) (#238) Aleksandrs Saveljevs) (#238)
* Fix unused function warning when using MBEDTLS_MDx_ALT or * Fix unused function warning when using MBEDTLS_MDx_ALT or
MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
* Fix memory corruption in pkey programs (found by yankuncheng) (#210)
Changes Changes
* The PEM parser now accepts a trailing space at end of lines (#226). * The PEM parser now accepts a trailing space at end of lines (#226).

View File

@ -32,6 +32,7 @@
#include <stdio.h> #include <stdio.h>
#define mbedtls_fprintf fprintf #define mbedtls_fprintf fprintf
#define mbedtls_printf printf #define mbedtls_printf printf
#define mbedtls_snprintf snprintf
#endif #endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \ #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
@ -60,6 +61,7 @@ int main( int argc, char *argv[] )
mbedtls_rsa_context rsa; mbedtls_rsa_context rsa;
unsigned char hash[20]; unsigned char hash[20];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
ret = 1; ret = 1;
@ -135,11 +137,11 @@ int main( int argc, char *argv[] )
} }
/* /*
* Write the signature into <filename>-sig.txt * Write the signature into <filename>.sig
*/ */
memcpy( argv[1] + strlen( argv[1] ), ".sig", 5 ); mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] );
if( ( f = fopen( argv[1], "wb+" ) ) == NULL ) if( ( f = fopen( filename, "wb+" ) ) == NULL )
{ {
ret = 1; ret = 1;
mbedtls_printf( " failed\n ! Could not create %s\n\n", argv[1] ); mbedtls_printf( " failed\n ! Could not create %s\n\n", argv[1] );
@ -152,7 +154,7 @@ int main( int argc, char *argv[] )
fclose( f ); fclose( f );
mbedtls_printf( "\n . Done (created \"%s\")\n\n", argv[1] ); mbedtls_printf( "\n . Done (created \"%s\")\n\n", filename );
exit: exit:

View File

@ -31,6 +31,7 @@
#else #else
#include <stdio.h> #include <stdio.h>
#define mbedtls_printf printf #define mbedtls_printf printf
#define mbedtls_snprintf snprintf
#endif #endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \ #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
@ -59,6 +60,7 @@ int main( int argc, char *argv[] )
mbedtls_rsa_context rsa; mbedtls_rsa_context rsa;
unsigned char hash[20]; unsigned char hash[20];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
ret = 1; ret = 1;
if( argc != 2 ) if( argc != 2 )
@ -99,17 +101,15 @@ int main( int argc, char *argv[] )
* Extract the RSA signature from the text file * Extract the RSA signature from the text file
*/ */
ret = 1; ret = 1;
i = strlen( argv[1] ); mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] );
memcpy( argv[1] + i, ".sig", 5 );
if( ( f = fopen( argv[1], "rb" ) ) == NULL ) if( ( f = fopen( filename, "rb" ) ) == NULL )
{ {
mbedtls_printf( "\n ! Could not open %s\n\n", argv[1] ); mbedtls_printf( "\n ! Could not open %s\n\n", filename );
goto exit; goto exit;
} }
argv[1][i] = '\0', i = 0; i = 0;
while( fscanf( f, "%02X", &c ) > 0 && while( fscanf( f, "%02X", &c ) > 0 &&
i < (int) sizeof( buf ) ) i < (int) sizeof( buf ) )
buf[i++] = (unsigned char) c; buf[i++] = (unsigned char) c;