commit 261faed725e29bd34abbf1f95df5fab43791f40c
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Oct 21 10:16:29 2015 +0200
committer Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Wed Oct 21 10:25:22 2015 +0200
tree fc98167aee0562da1896ad93022aefa43cc9a4a8
parent cdea97c1c310e6adfbcf92e5feb90f2841efde78

Fix potential heap corruption on Windows

If len is large enough, when cast to an int it will be negative and then the
test if( len > MAX_PATH - 3 ) will not behave as expected.

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index aa96b18..9204fd0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.2.0 released 2015-10-xx
+
+Security
+   * Fix potential heap corruption on Windows when
+     mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+     triggered remotely. Found by Guido Vranken, Interlworks.
+
 = mbed TLS 2.1.2 released 2015-10-06
 
 Security

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index f6879dd..5dc6568 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1097,7 +1097,7 @@
     WCHAR szDir[MAX_PATH];
     char filename[MAX_PATH];
     char *p;
-    int len = (int) strlen( path );
+    size_t len = strlen( path );
 
     WIN32_FIND_DATAW file_data;
     HANDLE hFind;
@@ -1131,7 +1131,7 @@
 
         w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
                                      lstrlenW( file_data.cFileName ),
-                                     p, len - 1,
+                                     p, (int) len - 1,
                                      NULL, NULL );
         if( w_ret == 0 )
             return( MBEDTLS_ERR_X509_FILE_IO_ERROR );