Fix potential random malloc in pem_read()

2025-01-23 21:01:03 +00:00 · 2015-09-28 18:27:15 +02:00 · 2015-09-28 18:27:15 +02:00 · 9bf29bee22
parent 59efb6a1b9
commit 9bf29bee22
3 changed files with 10 additions and 0 deletions
--- a/4
+++ b/4
@ -11,6 +11,10 @@ Security
     but might be in other uses. On 32 bit machines, requires reading a string
     of close to or larger than 1GB to exploit; on 64 bit machines, would require
     reading a string of close to or larger than 2^62 bytes.
+   * Fix potential random memory allocation in mbedtls_pem_read_buffer()
+     on crafted PEM input data. Found an fix provided by Guid Vranken.
+     Not triggerable remotely in TLS. Triggerable remotely if you accept PEM
+     data from an untrusted source.

 = mbed TLS 1.3.13 reladsed 2015-09-17

--- a/library/base64.c
+++ b/library/base64.c
@ -190,7 +190,10 @@ int base64_decode( unsigned char *dst, size_t *dlen,
    }

    if( n == 0 )
+    {
+        *dlen = 0;
        return( 0 );
+    }

    n = ( ( n * 6 ) + 7 ) >> 3;
    n -= j;
--- a/library/pem.c
+++ b/library/pem.c
@ -317,6 +317,9 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
          ( POLARSSL_AES_C || POLARSSL_DES_C ) */
    }

+    if( s1 == s2 )
+        return( POLARSSL_ERR_PEM_INVALID_DATA );
+
    len = 0;
    ret = base64_decode( NULL, &len, s1, s2 - s1 );