mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 09:15:43 +01:00
Merge fix IOTSSL-475 Potential buffer overflow
Two possible integer overflows (during << 2 or addition in BITS_TO_LIMB()) could result in far too few memory to be allocated, then overflowing the buffer in the subsequent for loop. Both integer overflows happen when slen is close to or greater than SIZE_T_MAX >> 2 (ie 2^30 on a 32 bit system). Note: one could also avoid those overflows by changing BITS_TO_LIMB(s << 2) to CHARS_TO_LIMB(s >> 1) but the solution implemented looks more robust with respect to future code changes.
This commit is contained in:
commit
e7f96f22ee
@ -11,6 +11,11 @@ Security
|
|||||||
* Fix stack buffer overflow in pkcs12 decryption (used by
|
* Fix stack buffer overflow in pkcs12 decryption (used by
|
||||||
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
|
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
|
||||||
Found by Guido Vranken. Not triggerable remotely.
|
Found by Guido Vranken. Not triggerable remotely.
|
||||||
|
* Fix potential buffer overflow in mbedtls_mpi_read_string().
|
||||||
|
Found by Guido Vranken. Not exploitable remotely in the context of TLS,
|
||||||
|
but might be in other uses. On 32 bit machines, requires reading a string
|
||||||
|
of close to or larger than 1GB to exploit; on 64 bit machines, would require
|
||||||
|
reading a string of close to or larger than 2^62 bytes.
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
||||||
|
@ -38,6 +38,7 @@
|
|||||||
#include "mbedtls/bn_mul.h"
|
#include "mbedtls/bn_mul.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
#include <limits.h>
|
||||||
|
|
||||||
#if defined(MBEDTLS_PLATFORM_C)
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
#include "mbedtls/platform.h"
|
#include "mbedtls/platform.h"
|
||||||
@ -60,9 +61,10 @@ static void mbedtls_zeroize( void *v, size_t n ) {
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Convert between bits/chars and number of limbs
|
* Convert between bits/chars and number of limbs
|
||||||
|
* Divide first in order to avoid potential overflows
|
||||||
*/
|
*/
|
||||||
#define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
|
#define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) )
|
||||||
#define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
|
#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Initialize one MPI
|
* Initialize one MPI
|
||||||
@ -409,6 +411,9 @@ int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
|
|||||||
|
|
||||||
if( radix == 16 )
|
if( radix == 16 )
|
||||||
{
|
{
|
||||||
|
if( slen > SIZE_T_MAX >> 2 )
|
||||||
|
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
|
||||||
|
|
||||||
n = BITS_TO_LIMBS( slen << 2 );
|
n = BITS_TO_LIMBS( slen << 2 );
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
|
||||||
|
Loading…
Reference in New Issue
Block a user