Merge remote-tracking branch 'restricted/pr/498' into mbedtls-2.7-restricted

2025-01-10 22:45:39 +00:00 · 2018-08-28 15:29:55 +01:00 · 2018-08-28 15:29:55 +01:00 · 242169bdc3
parent 6910201cd1 f4a668870f
commit 242169bdc3
2 changed files with 7 additions and 7 deletions
--- a/4
+++ b/4
@ -6,6 +6,10 @@ Security
   * Fix a potential memory leak in mbedtls_ssl_setup( ) function. An allocation
     failure could leave an unreleased buffer. A handshake init failure would
     lead to leaving two unreleased buffers.
+   * Fix an issue in the X.509 module which could lead to a buffer overread
+     during certificate extensions parsing. In case of receiving malformed
+     input (extensions length field equal to 0), an illegal read of one byte
+     beyond the input buffer is made. Found and analyzed by Nathan Crandall.

 Bugfix
   * Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -567,18 +567,14 @@ static int x509_get_crt_ext( unsigned char **p,
        end_ext_data = *p + len;

        /* Get extension ID */
-        extn_oid.tag = **p;
-
-        if( ( ret = mbedtls_asn1_get_tag( p, end, &extn_oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len,
+                                          MBEDTLS_ASN1_OID ) ) != 0 )
            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );

+        extn_oid.tag = MBEDTLS_ASN1_OID;
        extn_oid.p = *p;
        *p += extn_oid.len;

-        if( ( end - *p ) < 1 )
-            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                    MBEDTLS_ERR_ASN1_OUT_OF_DATA );
-
        /* Get optional critical */
        if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
            ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )