From 8aa301ba3172b113f03f603517075216bd18bc88 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Fri, 2 Sep 2016 15:23:48 +0100 Subject: [PATCH] Add missing bounds check in X509 DER write funcs This patch adds checks in both mbedtls_x509write_crt_der and mbedtls_x509write_csr_der before the signature is written to buf using memcpy(). --- ChangeLog | 8 +++++++- library/x509write_crt.c | 3 +++ library/x509write_csr.c | 3 +++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a217fa61b..422f33a98 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS 2.1.x += mbed TLS 2.1.x branch released 2016-xx-xx + +Security + * Fix potential stack corruption in mbedtls_x509write_crt_der() and + mbedtls_x509write_csr_der() when the signature is copied to the buffer + without checking whether there is enough space in the destination. It is + not triggerable remotely in SSL/TLS. Bugfix * Fix an issue that caused valid certificates being rejected whenever an diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 9041d440f..d1d9a22a7 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -413,6 +413,9 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf, sig_oid, sig_oid_len, sig, sig_len ) ); + if( len > (size_t)( c2 - buf ) ) + return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + c2 -= len; memcpy( c2, c, len ); diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 0b9a2851e..8fd856b2a 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -213,6 +213,9 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf, sig_oid, sig_oid_len, sig, sig_len ) ); + if( len > (size_t)( c2 - buf ) ) + return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + c2 -= len; memcpy( c2, c, len );