commit 43b37cbc92f35bae312f08a0ae285c582412c46d
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue May 12 11:20:10 2015 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue May 12 11:26:43 2015 +0200
tree dc114da051189d862e182ac7ca31336db9f288cf
parent 2088ba6d30836da0984d3e0f0fd847ba4bf976f8

Fix use of pem_read_buffer() in PK, DHM and X509

library/x509_crl.c

diff --git a/library/x509_crl.c b/library/x509_crl.c
index a915aba..fc4b2df 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -503,6 +503,11 @@
     do
     {
         mbedtls_pem_init( &pem );
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( buf[buflen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
         ret = mbedtls_pem_read_buffer( &pem,
                                "-----BEGIN X509 CRL-----",
                                "-----END X509 CRL-----",
@@ -532,7 +537,9 @@
             return( ret );
         }
     }
-    while( is_pem && buflen > 0 );
+    /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
+     * And a valid CRL cannot be less than 1 byte anyway. */
+    while( is_pem && buflen > 1 );
 
     if( is_pem )
         return( 0 );
@@ -556,7 +563,7 @@
 
     ret = mbedtls_x509_crl_parse( chain, buf, n );
 
-    mbedtls_zeroize( buf, n + 1 );
+    mbedtls_zeroize( buf, n );
     mbedtls_free( buf );
 
     return( ret );