Add missing bounds check in X509 DER write funcs This patch adds checks in both mbedtls_x509write_crt_der and mbedtls_x509write_csr_der before the signature is written to buf using memcpy().

commit: 60dbc9383109f2609776acbdacc7b19dba036dcc [log] [tgz]
author: Andres AG <andres.amayagarcia@arm.com> Fri Sep 02 15:23:48 2016 +0100
committer: Simon Butcher <simon.butcher@arm.com> Tue Oct 11 14:07:48 2016 +0100
tree: 2aaac1aaf72c7d5316246328cbab9496f786c36e
parent: e3d882ad4ab271bbfe9183371637f76591c1fea6 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index f8890dc..afef2dd 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -2,6 +2,12 @@
 
 = mbed TLS 2.3.x branch released 2016-xx-xx
 
+Security
+   * Fix potential stack corruption in mbedtls_x509write_crt_der() and
+     mbedtls_x509write_csr_der() when the signature is copied to the buffer
+     without checking whether there is enough space in the destination. It is
+     not triggerable remotely in SSL/TLS.
+
 Features
    * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
      NIST SP 800-38B, RFC-4493 and RFC-4615.
commit	60dbc9383109f2609776acbdacc7b19dba036dcc	[log] [tgz]
author	Andres AG <andres.amayagarcia@arm.com>	Fri Sep 02 15:23:48 2016 +0100
committer	Simon Butcher <simon.butcher@arm.com>	Tue Oct 11 14:07:48 2016 +0100
tree	2aaac1aaf72c7d5316246328cbab9496f786c36e
parent	e3d882ad4ab271bbfe9183371637f76591c1fea6 [diff] [blame]