Prevent signed integer overflow in CSR parsing Modify the function mbedtls_x509_csr_parse_der() so that it checks the parsed CSR version integer before it increments the value. This prevents a potential signed integer overflow, as these have undefined behaviour in the C standard.

commit: 2e65a54d5a2414b8fd3dc36ee1cca3ab9a36586c [log] [tgz]
author: Andres AG <andres.amayagarcia@arm.com> Fri Feb 17 13:54:43 2017 +0000
committer: Simon Butcher <simon.butcher@arm.com> Thu Jul 27 15:08:01 2017 +0100
tree: e88bbec3e4ceea700059e700610062bcc5bbd749
parent: 7ca4a039554670ce3011a1ef649b54a66e2cc7da [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 567e988..eea6919 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -46,6 +46,10 @@
      Reported and fix suggested by guidovranken in #740
    * Fix conditional preprocessor directives in bignum.h to enable 64-bit
      compilation when using ARM Compiler 6.
+   * Fix potential integer overflow in the version verification for DER
+     encoded X509 CSRs. The overflow would enable maliciously constructed CSRs
+     to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
+     KNOX Security, Samsung Research America
 
 Security
    * Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
commit	2e65a54d5a2414b8fd3dc36ee1cca3ab9a36586c	[log] [tgz]
author	Andres AG <andres.amayagarcia@arm.com>	Fri Feb 17 13:54:43 2017 +0000
committer	Simon Butcher <simon.butcher@arm.com>	Thu Jul 27 15:08:01 2017 +0100
tree	e88bbec3e4ceea700059e700610062bcc5bbd749
parent	7ca4a039554670ce3011a1ef649b54a66e2cc7da [diff] [blame]