diff --git a/ChangeLog b/ChangeLog index ef4535fd3..6529b6660 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,11 +1,18 @@ PolarSSL ChangeLog += Version 1.2.18 released 2015-10-xx + +Security + * Fix potential heap corruption on Windows when + x509_crt_parse_path() is passed a path longer than 2GB. Cannot be + triggered remotely. Found by Guido Vranken, Interlworks. + = Version 1.2.17 released 2015-10-06 Security - * Fix for CVE-2015-5291. Possible heap buffer overflow in SSL if a very long - hostname is used. Can be trigerred remotely if you accept hostnames from - untrusted parties. Found by Guido Vranken, Intelworks. + * Fix for CVE-2015-5291 to prevent heap corruption due to buffer + overflow of the hostname or session ticket. Found by Guido Vranken, + Intelworks. * Fix stack buffer overflow in pkcs12 decryption (used by mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by Guido Vranken, Intelworks. Not triggerable remotely. diff --git a/library/x509parse.c b/library/x509parse.c index c98145b18..11e7841d0 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -1932,7 +1932,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path ) WCHAR szDir[MAX_PATH]; char filename[MAX_PATH]; char *p; - int len = strlen( path ); + size_t len = strlen( path ); WIN32_FIND_DATAW file_data; HANDLE hFind; @@ -1947,7 +1947,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path ) p = filename + len; filename[len++] = '*'; - w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir, MAX_PATH - 3 ); + w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int) len, szDir, MAX_PATH - 3 ); if( w_ret == 0 ) return( POLARSSL_ERR_X509_INVALID_INPUT ); @@ -1965,7 +1965,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path ) w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, lstrlenW(file_data.cFileName), - p, len - 1, + p, (int) len - 1, NULL, NULL ); if( w_ret == 0 ) return( POLARSSL_ERR_X509_FILE_IO_ERROR );