From 9dc66f4b2f65666d26ca658a020fabf134584c09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Oct 2015 10:16:29 +0200 Subject: [PATCH] Fix potential heap corruption on Windows If len is large enough, when cast to an int it will be negative and then the test if( len > MAX_PATH - 3 ) will not behave as expected. --- ChangeLog | 3 +++ library/x509_crt.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ac33f5bf9..85909ca05 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ Security * Fix potential double free if mbedtls_ssl_conf_psk() is called more than once and some allocation fails. Cannot be forced remotely. Found by Guido Vranken, Intelworks. + * Fix potential heap corruption on Windows when + mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be + triggered remotely. Found by Guido Vranken, Interlworks. * The X509 max_pathlen constraint was not enforced on intermediate certificates. Found by Nicholas Wilson, fix and tests provided by Janos Follath. #280 and #319 diff --git a/library/x509_crt.c b/library/x509_crt.c index 579fbb778..91e4f50b9 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1099,7 +1099,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ) WCHAR szDir[MAX_PATH]; char filename[MAX_PATH]; char *p; - int len = (int) strlen( path ); + size_t len = strlen( path ); WIN32_FIND_DATAW file_data; HANDLE hFind; @@ -1133,7 +1133,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ) w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, lstrlenW( file_data.cFileName ), - p, len - 1, + p, (int) len - 1, NULL, NULL ); if( w_ret == 0 ) return( MBEDTLS_ERR_X509_FILE_IO_ERROR );