Fix potential stack overflow

2025-01-07 06:15:37 +00:00 · 2014-11-12 16:52:34 +01:00 · 2014-11-12 16:52:34 +01:00 · 360eb91d02
parent fdec957e55
commit 360eb91d02
2 changed files with 28 additions and 22 deletions
--- a/3
+++ b/3
@ -9,6 +9,9 @@ Security
   * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
     (TLS server is not affected if it doesn't ask for a client certificate)
     (found using Codenomicon Defensics).
+   * Fix potential stack overflow while parsing crafted X.509 certificates
+     (TLS server is not affected if it doesn't ask for a client certificate)
+     found using Codenomicon Defensics).

 Changes
   * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -296,36 +296,39 @@ static int x509_get_name( unsigned char **p,
    size_t set_len;
    const unsigned char *end_set;

-    /*
-     * parse first SET, restricted to 1 element
-     */
-    if( ( ret = asn1_get_tag( p, end, &set_len,
-            ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
+    /* don't use recursion, we'd risk stack overflow if not optimized */
+    while( 1 )
+    {
+        /*
+         * parse first SET, restricted to 1 element
+         */
+        if( ( ret = asn1_get_tag( p, end, &set_len,
+                ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
+            return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );

-    end_set = *p + set_len;
+        end_set  = *p + set_len;

-    if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
-        return( ret );
+        if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
+            return( ret );

-    if( *p != end_set )
-        return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
+        if( *p != end_set )
+            return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );

-    /*
-     * recurse until end of SEQUENCE is reached
-     */
-    if( *p == end )
-        return( 0 );
+        /*
+         * continue until end of SEQUENCE is reached
+         */
+        if( *p == end )
+            return( 0 );

-    cur->next = (x509_name *) malloc(
-         sizeof( x509_name ) );
+        cur->next = (x509_name *) malloc( sizeof( x509_name ) );

-    if( cur->next == NULL )
-        return( POLARSSL_ERR_X509_MALLOC_FAILED );
+        if( cur->next == NULL )
+            return( POLARSSL_ERR_X509_MALLOC_FAILED );

-    memset( cur->next, 0, sizeof( x509_name ) );
+        memset( cur->next, 0, sizeof( x509_name ) );

-    return( x509_get_name( p, end, cur->next ) );
+        cur = cur->next;
+    }
 }

 /*