diff --git a/ChangeLog b/ChangeLog index 03bad2ce1..8b9e4a6b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,9 @@ Bugfix * Fixed the templates used to generate project and solution files for Visual Studio 2015 as well as the files themselves, to remove a build warning generated in Visual Studio 2015. Reported by Steve Valliere. #742 + * Fix 1 byte buffer overflow in mpi_write_string() when the MPI number to + write in hexadecimal is negative and requires an odd number of digits. + Found and fixed by Guido Vranken. = mbed TLS 1.3.18 branch 2016-10-17 diff --git a/library/bignum.c b/library/bignum.c index 4fe841c34..afde19bd5 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -538,7 +538,12 @@ int mpi_write_string( const mpi *X, int radix, char *s, size_t *slen ) n = mpi_msb( X ); if( radix >= 4 ) n >>= 1; if( radix >= 16 ) n >>= 1; - n += 3; + /* + * Round up the buffer length to an even value to ensure that there is + * enough room for hexadecimal values that can be represented in an odd + * number of digits. + */ + n += 3 + ( ( n + 1 ) & 1 ); if( *slen < n ) { diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index a8da378f0..81fc73f32 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -46,6 +46,9 @@ mpi_read_write_string:16:"":16:"00":4:0:0 Test mpi_read_write_string #9 (Empty MPI -> dec) mpi_read_write_string:16:"":10:"0":4:0:0 +Test mpi_write_string #10 (Negative hex with odd number of digits) +mpi_read_write_string:16:"-1":16:"":3:0:POLARSSL_ERR_MPI_BUFFER_TOO_SMALL + Base test mpi_read_binary #1 mpi_read_binary:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":10:"56125680981752282334141896320372489490613963693556392520816017892111350604111697682705498319512049040516698827829292076808006940873974979584527073481012636016353913462376755556720019831187364993587901952757307830896531678727717924"