From 360eb91d02bc9fc89a6ebfeeaa8d346a6a0968fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Nov 2014 16:52:34 +0100 Subject: [PATCH] Fix potential stack overflow --- ChangeLog | 3 +++ library/x509parse.c | 47 ++++++++++++++++++++++++--------------------- 2 files changed, 28 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 87dc23a87..8b5848a75 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ Security * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). + * Fix potential stack overflow while parsing crafted X.509 certificates + (TLS server is not affected if it doesn't ask for a client certificate) + found using Codenomicon Defensics). Changes * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. diff --git a/library/x509parse.c b/library/x509parse.c index c00c5db22..4a9b7c19f 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -296,36 +296,39 @@ static int x509_get_name( unsigned char **p, size_t set_len; const unsigned char *end_set; - /* - * parse first SET, restricted to 1 element - */ - if( ( ret = asn1_get_tag( p, end, &set_len, - ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 ) - return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); + /* don't use recursion, we'd risk stack overflow if not optimized */ + while( 1 ) + { + /* + * parse first SET, restricted to 1 element + */ + if( ( ret = asn1_get_tag( p, end, &set_len, + ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 ) + return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); - end_set = *p + set_len; + end_set = *p + set_len; - if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 ) - return( ret ); + if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 ) + return( ret ); - if( *p != end_set ) - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + if( *p != end_set ) + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); - /* - * recurse until end of SEQUENCE is reached - */ - if( *p == end ) - return( 0 ); + /* + * continue until end of SEQUENCE is reached + */ + if( *p == end ) + return( 0 ); - cur->next = (x509_name *) malloc( - sizeof( x509_name ) ); + cur->next = (x509_name *) malloc( sizeof( x509_name ) ); - if( cur->next == NULL ) - return( POLARSSL_ERR_X509_MALLOC_FAILED ); + if( cur->next == NULL ) + return( POLARSSL_ERR_X509_MALLOC_FAILED ); - memset( cur->next, 0, sizeof( x509_name ) ); + memset( cur->next, 0, sizeof( x509_name ) ); - return( x509_get_name( p, end, cur->next ) ); + cur = cur->next; + } } /*