yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-23 22:01:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential stack overflow

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-12 16:52:34 +01:00
parent fdec957e55
commit 360eb91d02
2 changed files with 28 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ChangeLog
View file

@ -9,6 +9,9 @@ Security
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate) (TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics). (found using Codenomicon Defensics).
* Fix potential stack overflow while parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
found using Codenomicon Defensics).
Changes Changes
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.

47
library/x509parse.c
View file

@ -296,36 +296,39 @@ static int x509_get_name( unsigned char **p,
size_t set_len; size_t set_len;
const unsigned char *end_set; const unsigned char *end_set;
/* /* don't use recursion, we'd risk stack overflow if not optimized */
* parse first SET, restricted to 1 element while( 1 )
*/ {
if( ( ret = asn1_get_tag( p, end, &set_len, /*
ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 ) * parse first SET, restricted to 1 element
return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); */
if( ( ret = asn1_get_tag( p, end, &set_len,
ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
end_set = *p + set_len; end_set = *p + set_len;
if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 ) if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
return( ret ); return( ret );
if( *p != end_set ) if( *p != end_set )
return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
/* /*
* recurse until end of SEQUENCE is reached * continue until end of SEQUENCE is reached
*/ */
if( *p == end ) if( *p == end )
return( 0 ); return( 0 );
cur->next = (x509_name *) malloc( cur->next = (x509_name *) malloc( sizeof( x509_name ) );
sizeof( x509_name ) );
if( cur->next == NULL ) if( cur->next == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED ); return( POLARSSL_ERR_X509_MALLOC_FAILED );
memset( cur->next, 0, sizeof( x509_name ) ); memset( cur->next, 0, sizeof( x509_name ) );
return( x509_get_name( p, end, cur->next ) ); cur = cur->next;
}
} }
/* /*