Add missing bounds check in X509 DER write funcs

This patch adds checks in both mbedtls_x509write_crt_der and mbedtls_x509write_csr_der before the signature is written to buf using memcpy().
2025-01-25 00:31:05 +00:00 · 2016-09-02 15:23:48 +01:00 · 2016-09-02 15:23:48 +01:00 · 372bf79d67
parent 80d191bbe9
commit 372bf79d67
3 changed files with 13 additions and 1 deletions
--- a/8
+++ b/8
@ -1,6 +1,12 @@
 mbed TLS ChangeLog (Sorted per branch, date)

-= mbed TLS 1.3.x
+= mbed TLS 1.3.x branch 2016-xx-xx
+
+Security
+   * Fix potential stack corruption in mbedtls_x509write_crt_der() and
+     mbedtls_x509write_csr_der() when the signature is copied to the buffer
+     without checking whether there is enough space in the destination. It is
+     not triggerable remotely in SSL/TLS.

 Bugfix
   * Fix an issue that caused valid certificates being rejected whenever an
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@ -408,6 +408,9 @@ int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
    ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
                                        sig_oid, sig_oid_len, sig, sig_len ) );

+    if( len > (size_t)( c2 - buf ) )
+        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
+
    c2 -= len;
    memcpy( c2, c, len );

--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@ -214,6 +214,9 @@ int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
    ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
                                        sig_oid, sig_oid_len, sig, sig_len ) );

+    if( len > (size_t)( c2 - buf ) )
+        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
+
    c2 -= len;
    memcpy( c2, c, len );