From 372bf79d67ed21cb0eab5bc92e8806a0a9507a65 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Fri, 2 Sep 2016 15:23:48 +0100 Subject: [PATCH] Add missing bounds check in X509 DER write funcs This patch adds checks in both mbedtls_x509write_crt_der and mbedtls_x509write_csr_der before the signature is written to buf using memcpy(). --- ChangeLog | 8 +++++++- library/x509write_crt.c | 3 +++ library/x509write_csr.c | 3 +++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e64b8c226..29d806a9e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS 1.3.x += mbed TLS 1.3.x branch 2016-xx-xx + +Security + * Fix potential stack corruption in mbedtls_x509write_crt_der() and + mbedtls_x509write_csr_der() when the signature is copied to the buffer + without checking whether there is enough space in the destination. It is + not triggerable remotely in SSL/TLS. Bugfix * Fix an issue that caused valid certificates being rejected whenever an diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 80913ec19..23d46ee1b 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -408,6 +408,9 @@ int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size, ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf, sig_oid, sig_oid_len, sig, sig_len ) ); + if( len > (size_t)( c2 - buf ) ) + return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL ); + c2 -= len; memcpy( c2, c, len ); diff --git a/library/x509write_csr.c b/library/x509write_csr.c index c5a587540..1b3d2f58b 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -214,6 +214,9 @@ int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size, ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf, sig_oid, sig_oid_len, sig, sig_len ) ); + if( len > (size_t)( c2 - buf ) ) + return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL ); + c2 -= len; memcpy( c2, c, len );