commit 215a14bf29c5eac125ab986adefa37bb4fbc5284
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Oct 21 10:16:29 2015 +0200
committer Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Tue Oct 27 11:47:37 2015 +0100
tree 95583cd1d2459f2ab5173a9deb9fc628655da858
parent 9c521767760d2a3edba4e133e69b1910d79311c9

Fix potential heap corruption on Windows

If len is large enough, when cast to an int it will be negative and then the
test if( len > MAX_PATH - 3 ) will not behave as expected.

Ref: IOTSSL-518

backport of 261faed725e29bd34abbf1f95df5fab43791f40c

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 78664d0..b459887 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@
    * Fix potential double free if ssl_set_psk() is called more than once and
      some allocation fails. Cannot be forced remotely. Found by Guido Vranken,
      Intelworks.
+   * Fix potential heap corruption on Windows when
+     x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+     triggered remotely. Found by Guido Vranken, Interlworks.
 
 = mbed TLS 1.3.14 released 2015-10-06
 

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 3fb2b68..200f6bb 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -973,7 +973,7 @@
     WCHAR szDir[MAX_PATH];
     char filename[MAX_PATH];
     char *p;
-    int len = (int) strlen( path );
+    size_t len = strlen( path );
 
     WIN32_FIND_DATAW file_data;
     HANDLE hFind;
@@ -1007,7 +1007,7 @@
 
         w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
                                      lstrlenW( file_data.cFileName ),
-                                     p, len - 1,
+                                     p, (int) len - 1,
                                      NULL, NULL );
         if( w_ret == 0 )
             return( POLARSSL_ERR_X509_FILE_IO_ERROR );