Fix potential unintended sign extension

Backport of 6fdc4cae from the 1.3 branch
This commit is contained in:
Manuel Pégourié-Gonnard 2015-04-10 17:23:05 +02:00
parent 82f1a88a92
commit 64f65e84bc
2 changed files with 9 additions and 3 deletions

View file

@ -6,6 +6,10 @@ Security
* Fix potential invalid memory read in the server, that allows a client to
crash it remotely (found by Caj Larsson).
Bugfix
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
platforms (found with Coverity Scan).
= Version 1.2.13 released 2015-02-16
Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
this will be made in the 1.2 branch at this point.

View file

@ -62,7 +62,7 @@ int asn1_get_len( unsigned char **p,
if( ( end - *p ) < 3 )
return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
*len = ( (*p)[1] << 8 ) | (*p)[2];
*len = ( (size_t)(*p)[1] << 8 ) | (*p)[2];
(*p) += 3;
break;
@ -70,7 +70,8 @@ int asn1_get_len( unsigned char **p,
if( ( end - *p ) < 4 )
return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
*len = ( (*p)[1] << 16 ) | ( (*p)[2] << 8 ) | (*p)[3];
*len = ( (size_t)(*p)[1] << 16 ) |
( (size_t)(*p)[2] << 8 ) | (*p)[3];
(*p) += 4;
break;
@ -78,7 +79,8 @@ int asn1_get_len( unsigned char **p,
if( ( end - *p ) < 5 )
return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
*len = ( (*p)[1] << 24 ) | ( (*p)[2] << 16 ) | ( (*p)[3] << 8 ) | (*p)[4];
*len = ( (size_t)(*p)[1] << 24 ) | ( (size_t)(*p)[2] << 16 ) |
( (size_t)(*p)[3] << 8 ) | (*p)[4];
(*p) += 5;
break;