From 6978949cd090a6301466fdc709b1830429254053 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Mon, 16 Jul 2018 10:49:12 +0200 Subject: [PATCH 1/3] Prevent buffer overread by one byte --- library/x509_crt.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 6751da0d2..85fee8444 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -558,18 +558,14 @@ static int x509_get_crt_ext( unsigned char **p, end_ext_data = *p + len; /* Get extension ID */ - extn_oid.tag = **p; - - if( ( ret = mbedtls_asn1_get_tag( p, end, &extn_oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) + if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len, + MBEDTLS_ASN1_OID ) ) != 0 ) return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + extn_oid.tag = MBEDTLS_ASN1_OID; extn_oid.p = *p; *p += extn_oid.len; - if( ( end - *p ) < 1 ) - return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_OUT_OF_DATA ); - /* Get optional critical */ if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 && ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) From 55bea65ca913bca5dee772668421888568b6b62e Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Mon, 16 Jul 2018 12:14:18 +0200 Subject: [PATCH 2/3] Update change log --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 9ea55e1fd..ce3554ccf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,12 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Security + * Fix an issue in the X.509 module which could lead to a buffer overread + during certificate extensions parsing. In case of receiving malformed + input (extensions length field equal to 0), an illegal read of one byte + beyond the input buffer is made. Found and analyzed by Nathan Crandall. + Bugfix * Fix compilation error on C++, because of a variable named new. Found and fixed by Hirotaka Niisato in #1783. From f4a668870f1cb6d6ab6eebf36e2f59395492e004 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Tue, 24 Jul 2018 12:54:39 +0200 Subject: [PATCH 3/3] Fix code formatting --- library/x509_crt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 85fee8444..f3a89f596 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -559,7 +559,7 @@ static int x509_get_crt_ext( unsigned char **p, /* Get extension ID */ if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len, - MBEDTLS_ASN1_OID ) ) != 0 ) + MBEDTLS_ASN1_OID ) ) != 0 ) return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); extn_oid.tag = MBEDTLS_ASN1_OID;