mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-03-08 10:09:54 +00:00
Fix buffer overreads in mbedtls_pem_read_buffer()
This commit is contained in:
parent
c1d54bb7b2
commit
d3cbc15951
|
@ -1,5 +1,12 @@
|
|||
mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= mbed TLS 1.3.x branch released xxxx-xx-xx
|
||||
|
||||
Bugfix
|
||||
* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
|
||||
the input string in pem format to extract the different components. Found
|
||||
by Eyal Itkin.
|
||||
|
||||
= mbed TLS 1.3.18 branch 2016-10-17
|
||||
|
||||
Security
|
||||
|
|
|
@ -250,7 +250,7 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
|
|||
|
||||
enc = 0;
|
||||
|
||||
if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
|
||||
if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
|
||||
{
|
||||
#if defined(POLARSSL_MD5_C) && defined(POLARSSL_CIPHER_MODE_CBC) && \
|
||||
( defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C) )
|
||||
|
@ -263,22 +263,22 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
|
|||
|
||||
|
||||
#if defined(POLARSSL_DES_C)
|
||||
if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
|
||||
if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
|
||||
{
|
||||
enc_alg = POLARSSL_CIPHER_DES_EDE3_CBC;
|
||||
|
||||
s1 += 23;
|
||||
if( pem_get_iv( s1, pem_iv, 8 ) != 0 )
|
||||
if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
|
||||
return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
|
||||
|
||||
s1 += 16;
|
||||
}
|
||||
else if( memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
|
||||
else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
|
||||
{
|
||||
enc_alg = POLARSSL_CIPHER_DES_CBC;
|
||||
|
||||
s1 += 18;
|
||||
if( pem_get_iv( s1, pem_iv, 8) != 0 )
|
||||
if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
|
||||
return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
|
||||
|
||||
s1 += 16;
|
||||
|
@ -286,9 +286,11 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
|
|||
#endif /* POLARSSL_DES_C */
|
||||
|
||||
#if defined(POLARSSL_AES_C)
|
||||
if( memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
|
||||
if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
|
||||
{
|
||||
if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
|
||||
if( s2 - s1 < 22 )
|
||||
return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
|
||||
else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
|
||||
enc_alg = POLARSSL_CIPHER_AES_128_CBC;
|
||||
else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
|
||||
enc_alg = POLARSSL_CIPHER_AES_192_CBC;
|
||||
|
@ -298,7 +300,7 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
|
|||
return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
|
||||
|
||||
s1 += 22;
|
||||
if( pem_get_iv( s1, pem_iv, 16 ) != 0 )
|
||||
if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
|
||||
return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
|
||||
|
||||
s1 += 32;
|
||||
|
@ -317,7 +319,7 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
|
|||
( POLARSSL_AES_C || POLARSSL_DES_C ) */
|
||||
}
|
||||
|
||||
if( s1 == s2 )
|
||||
if( s1 >= s2 )
|
||||
return( POLARSSL_ERR_PEM_INVALID_DATA );
|
||||
|
||||
len = 0;
|
||||
|
|
Loading…
Reference in a new issue