yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-04-30 22:26:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential heap corruption on Windows

Browse source 
If len is large enough, when cast to an int it will be negative and then the
test if( len > MAX_PATH - 3 ) will not behave as expected.

Ref: IOTSSL-518

backport of 261faed725
This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-21 10:16:29 +02:00 committed by Manuel Pégourié-Gonnard
parent 69994584c7
commit 80e6cffcad
2 changed files with 13 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
ChangeLog
View file

@ -1,11 +1,18 @@
PolarSSL ChangeLog
= Version 1.2.18 released 2015-10-xx
Security
* Fix potential heap corruption on Windows when
x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
triggered remotely. Found by Guido Vranken, Interlworks.
= Version 1.2.17 released 2015-10-06
Security
* Fix for CVE-2015-5291. Possible heap buffer overflow in SSL if a very long
hostname is used. Can be trigerred remotely if you accept hostnames from
untrusted parties. Found by Guido Vranken, Intelworks.
* Fix for CVE-2015-5291 to prevent heap corruption due to buffer
overflow of the hostname or session ticket. Found by Guido Vranken,
Intelworks.
* Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by
Guido Vranken, Intelworks. Not triggerable remotely.

6
library/x509parse.c
View file

@ -1932,7 +1932,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path )
WCHAR szDir[MAX_PATH];
char filename[MAX_PATH];
char *p;
int len = strlen( path );
size_t len = strlen( path );
WIN32_FIND_DATAW file_data;
HANDLE hFind;
@ -1947,7 +1947,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path )
p = filename + len;
filename[len++] = '*';
w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir, MAX_PATH - 3 );
w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int) len, szDir, MAX_PATH - 3 );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_INVALID_INPUT );
@ -1965,7 +1965,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path )
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
lstrlenW(file_data.cFileName),
p, len - 1,
p, (int) len - 1,
NULL, NULL );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_FILE_IO_ERROR );