From 0c12bd69f5f70f089216f7a9d58bcf5933b8c173 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Fri, 2 Sep 2016 15:23:48 +0100 Subject: [PATCH] Add missing bounds check in X509 DER write funcs This patch adds checks in both mbedtls_x509write_crt_der and mbedtls_x509write_csr_der before the signature is written to buf using memcpy(). --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4ab77fa62..771f7c50c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ Security mbedtls_x509write_csr_der() when the signature is copied to the buffer without checking whether there is enough space in the destination. The issue cannot be triggered remotely. (found by Jethro Beekman) + * Fix potential stack corruption in mbedtls_x509write_crt_der() and + mbedtls_x509write_csr_der() when the signature is copied to the buffer + without checking whether there is enough space in the destination. It is + not triggerable remotely in SSL/TLS. Bugfix * Fix an issue that caused valid certificates being rejected whenever an