yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-20 20:38:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential buffer overread of size 1

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-17 12:04:51 +01:00
parent 309c798b2b
commit d8a1ea72b1
3 changed files with 13 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ChangeLog
View file

@ -12,6 +12,8 @@ Security
* Fix potential stack overflow while parsing crafted X.509 certificates * Fix potential stack overflow while parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate) (TLS server is not affected if it doesn't ask for a client certificate)
found using Codenomicon Defensics). found using Codenomicon Defensics).
* Fix buffer overread of size 1 when parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate).
Bugfix Bugfix
* Fix potential undefined behaviour in Camellia. * Fix potential undefined behaviour in Camellia.

10
library/x509parse.c
View file

@ -193,6 +193,11 @@ static int x509_get_alg( unsigned char **p,
return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret ); return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret );
end = *p + len; end = *p + len;
if( len < 1 )
return( POLARSSL_ERR_X509_CERT_INVALID_ALG +
POLARSSL_ERR_ASN1_OUT_OF_DATA );
alg->tag = **p; alg->tag = **p;
if( ( ret = asn1_get_tag( p, end, &alg->len, ASN1_OID ) ) != 0 ) if( ( ret = asn1_get_tag( p, end, &alg->len, ASN1_OID ) ) != 0 )
@ -240,6 +245,11 @@ static int x509_get_attr_type_value( unsigned char **p,
return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
oid = &cur->oid; oid = &cur->oid;
if( len < 1 )
return( POLARSSL_ERR_X509_CERT_INVALID_NAME +
POLARSSL_ERR_ASN1_OUT_OF_DATA );
oid->tag = **p; oid->tag = **p;
if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 ) if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )

2
tests/suites/test_suite_x509parse.data
View file

@ -450,7 +450,7 @@ X509 Certificate ASN1 (TBSCertificate, issuer no inner set data)
x509parse_crt:"30223020a0030201028204deadbeef300d06092a864886f70d0101020500300431023000":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA x509parse_crt:"30223020a0030201028204deadbeef300d06092a864886f70d0101020500300431023000":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 Certificate ASN1 (TBSCertificate, issuer two inner set datas) X509 Certificate ASN1 (TBSCertificate, issuer two inner set datas)
x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430003000":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_UNEXPECTED_TAG x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430003000":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 Certificate ASN1 (TBSCertificate, issuer no oid data) X509 Certificate ASN1 (TBSCertificate, issuer no oid data)
x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430020600":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430020600":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA