mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-03 16:46:55 +00:00
Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and mbedtls_x509write_csr_der before the signature is written to buf using memcpy().
This commit is contained in:
parent
e3d882ad4a
commit
60dbc93831
|
@ -2,6 +2,12 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
= mbed TLS 2.3.x branch released 2016-xx-xx
|
= mbed TLS 2.3.x branch released 2016-xx-xx
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix potential stack corruption in mbedtls_x509write_crt_der() and
|
||||||
|
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
||||||
|
without checking whether there is enough space in the destination. It is
|
||||||
|
not triggerable remotely in SSL/TLS.
|
||||||
|
|
||||||
Features
|
Features
|
||||||
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
|
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
|
||||||
NIST SP 800-38B, RFC-4493 and RFC-4615.
|
NIST SP 800-38B, RFC-4493 and RFC-4615.
|
||||||
|
|
|
@ -413,6 +413,9 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
||||||
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
||||||
sig_oid, sig_oid_len, sig, sig_len ) );
|
sig_oid, sig_oid_len, sig, sig_len ) );
|
||||||
|
|
||||||
|
if( len > (size_t)( c2 - buf ) )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
c2 -= len;
|
c2 -= len;
|
||||||
memcpy( c2, c, len );
|
memcpy( c2, c, len );
|
||||||
|
|
||||||
|
|
|
@ -213,6 +213,9 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
|
||||||
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
||||||
sig_oid, sig_oid_len, sig, sig_len ) );
|
sig_oid, sig_oid_len, sig, sig_len ) );
|
||||||
|
|
||||||
|
if( len > (size_t)( c2 - buf ) )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
c2 -= len;
|
c2 -= len;
|
||||||
memcpy( c2, c, len );
|
memcpy( c2, c, len );
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue