Fix invalid memory read in x509_get_sig()

2025-04-18 05:31:56 +00:00 · 2015-04-23 10:52:49 +02:00 · 2015-04-23 10:52:49 +02:00 · 0c2fa144bc
parent cd7d24d464
commit 0c2fa144bc
2 changed files with 4 additions and 2 deletions
--- a/3
+++ b/3
@ -5,6 +5,9 @@ PolarSSL ChangeLog
 Security
   * Fix potential invalid memory read in the server, that allows a client to
     crash it remotely (found by Caj Larsson).
+   * Fix potential invalid memory read in certificate parsing, that allows a
+     client to crash the server remotely if client authentication is enabled
+     (found using Codenomicon Defensics).

 Bugfix
   * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -519,8 +519,7 @@ static int x509_get_sig( unsigned char **p,
    if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 )
        return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE + ret );

-
-    if( --len < 1 || *(*p)++ != 0 )
+    if( len-- < 2 || *(*p)++ != 0 )
        return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE );

    sig->len = len;