mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 23:15:43 +01:00
6579235d9c
In the entries (mbedtls_x509_crl_entry values) on the list constructed by mbedtls_x509_crl_parse_der(), set entry->raw.tag to (SEQUENCE | CONSTRUCTED) rather than to the tag of the first ASN.1 element of the entry (which happens to be the tag of the serial number, so INTEGER or INTEGER | CONTEXT_SPECIFIC). This is doesn't really matter in practice (and in particular the value is never used in Mbed TLS itself), and isn't documented, but at least it's consistent with how mbedtls_x509_buf is normally used. The primary importance of this change is that the old code tried to access the tag of the first element of the entry even when the entry happened to be empty. If the entry was empty and not followed by anything else in the CRL, this could cause a read 1 byte after the end of the buffer containing the CRL. The test case "X509 CRL ASN1 (TBSCertList, single empty entry at end)" hit the problematic buffer overflow, which is detected with ASan. Credit to OSS-Fuzz for detecting the problem. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
5 lines
193 B
Plaintext
5 lines
193 B
Plaintext
Security
|
|
* Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
|
|
Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
|
|
for pinpointing the problematic code.
|