mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 23:55:36 +00:00
Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the CRL version verification checks.
This commit is contained in:
parent
57501ef056
commit
26124be17a
|
@ -13,6 +13,10 @@ Bugfix
|
||||||
Found by redplait #590
|
Found by redplait #590
|
||||||
* Add MPI_CHK to check for error value of mpi_fill_random.
|
* Add MPI_CHK to check for error value of mpi_fill_random.
|
||||||
Backported from a report and fix suggestion by guidovranken in #740
|
Backported from a report and fix suggestion by guidovranken in #740
|
||||||
|
* Fix a potential integer overflow in the version verification for DER
|
||||||
|
encoded X509 CRLs. The overflow would enable maliciously constructed CRLs
|
||||||
|
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
|
||||||
|
KNOX Security, Samsung Research America
|
||||||
|
|
||||||
= mbed TLS 1.3.20 branch released 2017-06-21
|
= mbed TLS 1.3.20 branch released 2017-06-21
|
||||||
|
|
||||||
|
|
|
@ -353,14 +353,14 @@ int x509_crl_parse_der( x509_crl *chain,
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
crl->version++;
|
if( crl->version < 0 || crl->version > 1 )
|
||||||
|
|
||||||
if( crl->version > 2 )
|
|
||||||
{
|
{
|
||||||
x509_crl_free( crl );
|
x509_crl_free( crl );
|
||||||
return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
|
return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
crl->version++;
|
||||||
|
|
||||||
if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1,
|
if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1,
|
||||||
&crl->sig_md, &crl->sig_pk,
|
&crl->sig_md, &crl->sig_pk,
|
||||||
&crl->sig_opts ) ) != 0 )
|
&crl->sig_opts ) ) != 0 )
|
||||||
|
|
Loading…
Reference in a new issue