From 48ec2c7b5e77b5c7e0057d1218eb7ef4f989b87e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 30 Sep 2015 16:30:28 +0200 Subject: [PATCH] Fix potential overflow in base64_encode --- ChangeLog | 3 +++ include/polarssl/base64.h | 3 +++ library/base64.c | 11 ++++++----- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 14ae034f2..651ee4fc6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ Security * Fix potential double-free if ssl_set_psk() is called repeatedly on the same ssl_context object and some memory allocations fail. Found by Guido Vranken. Can not be forced remotely. + * Fix possible heap buffer overflow in base64_encode() when the input + buffer is 512MB or larger on 32-bit platforms. + Found by Guido Vranken. Not trigerrable remotely in TLS. = mbed TLS 1.3.13 reladsed 2015-09-17 diff --git a/include/polarssl/base64.h b/include/polarssl/base64.h index 0f1e8549b..dd11bdab6 100644 --- a/include/polarssl/base64.h +++ b/include/polarssl/base64.h @@ -25,6 +25,7 @@ #define POLARSSL_BASE64_H #include +#include #define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer too small. */ #define POLARSSL_ERR_BASE64_INVALID_CHARACTER -0x002C /**< Invalid character in input. */ @@ -44,6 +45,8 @@ extern "C" { * \return 0 if successful, or POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL. * *dlen is always updated to reflect the amount * of data that has (or would have) been written. + * If that length cannot be represented, then no data is + * written to the buffer and *olen is set to SIZE_T_MAX. * * \note Call this function with *dlen = 0 to obtain the * required buffer size in *dlen diff --git a/library/base64.c b/library/base64.c index 2f7bb1428..c74351158 100644 --- a/library/base64.c +++ b/library/base64.c @@ -91,15 +91,16 @@ int base64_encode( unsigned char *dst, size_t *dlen, return( 0 ); } - n = ( slen << 3 ) / 6; + n = slen / 3 + ( slen % 3 != 0 ); - switch( ( slen << 3 ) - ( n * 6 ) ) + if( n > ( SIZE_T_MAX - 1 ) / 4 ) { - case 2: n += 3; break; - case 4: n += 2; break; - default: break; + *dlen = SIZE_T_MAX; + return( POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL ); } + n *= 4; + if( *dlen < n + 1 ) { *dlen = n + 1;