From 0d66bb959ff42bbd527cda3e389cae202ce75aba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Oct 2015 12:07:47 +0200 Subject: [PATCH] Fix potential buffer overflow in asn1write --- ChangeLog | 4 ++++ library/asn1write.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85909ca05..1447fdcc3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ Security * Fix potential heap corruption on Windows when mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be triggered remotely. Found by Guido Vranken, Interlworks. + * Fix potential buffer overflow in some asn1_write_xxx() functions. + Cannot be triggered remotely unless you create X.509 certificates based + on untrusted input or write keys of untrusted origin. Found by Guido + Vranken, Interlworks. * The X509 max_pathlen constraint was not enforced on intermediate certificates. Found by Nicholas Wilson, fix and tests provided by Janos Follath. #280 and #319 diff --git a/library/asn1write.c b/library/asn1write.c index 849e8c168..456660d8b 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -87,7 +87,7 @@ int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start, { size_t len = 0; - if( *p - start < (int) size ) + if( *p < start || (size_t)( *p - start ) < size ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); len = size; @@ -107,7 +107,7 @@ int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedt // len = mbedtls_mpi_size( X ); - if( *p - start < (int) len ) + if( *p < start || (size_t)( *p - start ) < len ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); (*p) -= len; @@ -270,7 +270,7 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, // Calculate byte length // - if( *p - start < (int) size + 1 ) + if( *p < start || (size_t)( *p - start ) < size + 1 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); len = size + 1;