Prevent signed integer overflow in CSR parsing

Modify the function x509_csr_parse_der() so that it checks the parsed
CSR version integer before it increments the value. This prevents a
potential signed integer overflow, as these have undefined behaviour in
the C standard.
This commit is contained in:
Andres AG 2017-03-01 14:59:02 +00:00 committed by Simon Butcher
parent 47f3059780
commit 3df4e4e1d0
2 changed files with 7 additions and 3 deletions

View file

@ -20,6 +20,10 @@ Bugfix
* Fix a potential integer overflow in the version verification for DER
encoded X509 certificates. The overflow would enable maliciously
constructed certificates to bypass the certificate verification check.
* Fix potential integer overflow in the version verification for DER
encoded X509 CSRs. The overflow would enable maliciously constructed CSRs
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
KNOX Security, Samsung Research America
= mbed TLS 1.3.20 branch released 2017-06-21

View file

@ -169,14 +169,14 @@ int x509_csr_parse_der( x509_csr *csr,
return( ret );
}
csr->version++;
if( csr->version != 1 )
if( csr->version != 0 )
{
x509_csr_free( csr );
return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
}
csr->version++;
/*
* subject Name
*/