Fix integer overflows in buffer bound checks Fix potential integer overflows in the following functions: * mbedtls_md2_update() to be bypassed and cause * mbedtls_cipher_update() * mbedtls_ctr_drbg_reseed() This overflows would mainly be exploitable in 32-bit systems and could cause buffer bound checks to be bypassed.

commit: 6a54336897e5150b95c64bf1eea122cdd9556a9c [log] [tgz]
author: Andres Amaya Garcia <Andres.AmayaGarcia@arm.com> Tue Jan 17 23:04:22 2017 +0000
committer: Simon Butcher <simon.butcher@arm.com> Wed Feb 15 23:31:07 2017 +0200
tree: 09756beb852437c77e72cc74c3314c9fb0428668
parent: 49d29337facd93e5d1039b7073ded21ec6dde54d [diff]
diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index 3acfb8b..883cfe0 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function

@@ -39,6 +39,11 @@
     TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, additional,
                         MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + 1 ) ==
                         MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, ~0 );
+    TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, additional,
+                        MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ) ==
+                        MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
 exit:
     mbedtls_ctr_drbg_free( &ctx );
 }
commit	6a54336897e5150b95c64bf1eea122cdd9556a9c	[log] [tgz]
author	Andres Amaya Garcia <Andres.AmayaGarcia@arm.com>	Tue Jan 17 23:04:22 2017 +0000
committer	Simon Butcher <simon.butcher@arm.com>	Wed Feb 15 23:31:07 2017 +0200
tree	09756beb852437c77e72cc74c3314c9fb0428668
parent	49d29337facd93e5d1039b7073ded21ec6dde54d [diff]