diff --git a/ChangeLog b/ChangeLog index a1e9837f5..85b565243 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ Security Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). + * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE + if memory_buffer_alloc_init() was called with buf not aligned and len not + a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE. = PolarSSL 1.3.9 released 2014-10-20 Security diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c index 9cae251d5..4a5be479f 100644 --- a/library/memory_buffer_alloc.c +++ b/library/memory_buffer_alloc.c @@ -563,9 +563,11 @@ int memory_buffer_alloc_init( unsigned char *buf, size_t len ) if( (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE ) { + /* Adjust len first since buf is used in the computation */ + len -= POLARSSL_MEMORY_ALIGN_MULTIPLE + - (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE; buf += POLARSSL_MEMORY_ALIGN_MULTIPLE - (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE; - len -= (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE; } heap.buf = buf; @@ -623,9 +625,9 @@ static int check_all_free( ) int memory_buffer_alloc_self_test( int verbose ) { - int ret = 0; unsigned char buf[1024]; - unsigned char *p, *q, *r; + unsigned char *p, *q, *r, *end; + int ret = 0; if( verbose != 0 ) polarssl_printf( " MBA test #1 (basic alloc-free cycle): " ); @@ -646,6 +648,9 @@ int memory_buffer_alloc_self_test( int verbose ) TEST_ASSERT( check_all_free( ) == 0 ); + /* Memorize end to compare with the next test */ + end = heap.buf + heap.len; + memory_buffer_alloc_free( ); if( verbose != 0 ) @@ -656,6 +661,8 @@ int memory_buffer_alloc_self_test( int verbose ) memory_buffer_alloc_init( buf + 1, sizeof( buf ) - 1 ); + TEST_ASSERT( heap.buf + heap.len == end ); + p = polarssl_malloc( 1 ); q = polarssl_malloc( 128 ); r = polarssl_malloc( 16 );