mbedtls/library
Gilles Peskine 78e54b9b1d x509_crl_parse: fix 1-byte buffer overflow and entry->raw.tag
In the entries (mbedtls_x509_crl_entry values) on the list constructed
by mbedtls_x509_crl_parse_der(), set entry->raw.tag to
(SEQUENCE | CONSTRUCTED) rather than to the tag of the first ASN.1
element of the entry (which happens to be the tag of the serial
number, so INTEGER or INTEGER | CONTEXT_SPECIFIC). This is doesn't
really matter in practice (and in particular the value is never used
in Mbed TLS itself), and isn't documented, but at least it's
consistent with how mbedtls_x509_buf is normally used.

The primary importance of this change is that the old code tried to
access the tag of the first element of the entry even when the entry
happened to be empty. If the entry was empty and not followed by
anything else in the CRL, this could cause a read 1 byte after the end
of the buffer containing the CRL.

The test case "X509 CRL ASN1 (TBSCertList, single empty entry at end)"
hit the problematic buffer overflow, which is detected with ASan.

Credit to OSS-Fuzz for detecting the problem.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-12 12:51:43 +02:00
..
.gitignore Split libs with make + general make cleanups 2015-06-25 10:59:56 +02:00
aes.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
aesni.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
arc4.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
asn1parse.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
asn1write.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
base64.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
bignum.c Merge pull request #3409 from bensze01/license-2.7 2020-06-18 15:54:09 +01:00
blowfish.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
camellia.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ccm.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
certs.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
cipher.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
cipher_wrap.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
cmac.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
CMakeLists.txt Bump version to Mbed TLS 2.7.16 2020-06-26 12:37:57 +01:00
ctr_drbg.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
debug.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
des.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
dhm.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ecdh.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ecdsa.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ecjpake.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ecp.c Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.16r0 2020-06-25 09:20:57 +01:00
ecp_curves.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
entropy.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
entropy_poll.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
error.c Merge pull request #3409 from bensze01/license-2.7 2020-06-18 15:54:09 +01:00
gcm.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
havege.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
hmac_drbg.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
Makefile Fix #2370, minor typos and spelling mistakes 2019-02-18 15:57:54 +00:00
md.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
md2.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
md4.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
md5.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
md_wrap.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
memory_buffer_alloc.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
net_sockets.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
oid.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
padlock.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pem.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pk.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pk_wrap.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pkcs5.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pkcs11.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pkcs12.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pkparse.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
pkwrite.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
platform.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ripemd160.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
rsa.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
rsa_internal.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
sha1.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
sha256.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
sha512.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ssl_cache.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ssl_ciphersuites.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ssl_cli.c Merge pull request #3409 from bensze01/license-2.7 2020-06-18 15:54:09 +01:00
ssl_cookie.c Merge pull request #3409 from bensze01/license-2.7 2020-06-18 15:54:09 +01:00
ssl_srv.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
ssl_ticket.c Merge pull request #3409 from bensze01/license-2.7 2020-06-18 15:54:09 +01:00
ssl_tls.c Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.16r0 2020-06-25 09:20:57 +01:00
threading.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
timing.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
version.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
version_features.c Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.16r0 2020-06-25 09:20:57 +01:00
x509.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
x509_create.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
x509_crl.c x509_crl_parse: fix 1-byte buffer overflow and entry->raw.tag 2020-08-12 12:51:43 +02:00
x509_crt.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
x509_csr.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
x509write_crt.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
x509write_csr.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00
xtea.c Update license headers to Apache-2.0 OR GPL-2.0-or-later 2020-06-15 12:56:41 +02:00