From b134060f90ee0e47a63a36f0c36334edeed4a110 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 11 Nov 2014 23:11:16 +0100 Subject: [PATCH] Fix memory leak with crafted X.509 certs --- ChangeLog | 3 +++ library/x509_crt.c | 3 +++ tests/suites/test_suite_x509parse.data | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/ChangeLog b/ChangeLog index 9821551c5..f06f582d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ Security * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). + * Fix remotely-triggerable memory leak caused by crafted X.509 certificates + (server is not affected if it doesn't ask for a client certificate) + (found using Codenomicon Defensics). Features * Add function pk_check_pair() to test if public and private keys match. diff --git a/library/x509_crt.c b/library/x509_crt.c index 88d7f04c7..525d250fb 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -359,6 +359,9 @@ static int x509_get_subject_alt_name( unsigned char **p, /* Allocate and assign next pointer */ if( cur->buf.p != NULL ) { + if( cur->next != NULL ) + return( POLARSSL_ERR_X509_INVALID_EXTENSIONS ); + cur->next = (asn1_sequence *) polarssl_malloc( sizeof( asn1_sequence ) ); diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index c2bb7f320..b7f6791af 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -873,6 +873,10 @@ X509 Certificate ASN1 (ExtKeyUsage, bad second tag) depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED x509parse_crt:"3081de3081dba003020102020900ebdbcd14105e1839300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313230353935345a170d3234313130383230353935345a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d250416301406082b0601050507030107082b06010505070302":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS + POLARSSL_ERR_ASN1_UNEXPECTED_TAG +X509 Certificate ASN1 (SubjectAltName repeated) +depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED +x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS + X509 Certificate ASN1 (correct pubkey, no sig_alg) depends_on:POLARSSL_RSA_C x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA