Add missing bounds check in X509 DER write funcs This patch adds checks in both mbedtls_x509write_crt_der and mbedtls_x509write_csr_der before the signature is written to buf using memcpy().

commit: 60dbc9383109f2609776acbdacc7b19dba036dcc [log] [tgz]
author: Andres AG <andres.amayagarcia@arm.com> Fri Sep 02 15:23:48 2016 +0100
committer: Simon Butcher <simon.butcher@arm.com> Tue Oct 11 14:07:48 2016 +0100
tree: 2aaac1aaf72c7d5316246328cbab9496f786c36e
parent: e3d882ad4ab271bbfe9183371637f76591c1fea6 [diff] [blame]
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index 0b9a285..8fd856b 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c

@@ -213,6 +213,9 @@
     MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
                                         sig_oid, sig_oid_len, sig, sig_len ) );
 
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
     c2 -= len;
     memcpy( c2, c, len );
commit	60dbc9383109f2609776acbdacc7b19dba036dcc	[log] [tgz]
author	Andres AG <andres.amayagarcia@arm.com>	Fri Sep 02 15:23:48 2016 +0100
committer	Simon Butcher <simon.butcher@arm.com>	Tue Oct 11 14:07:48 2016 +0100
tree	2aaac1aaf72c7d5316246328cbab9496f786c36e
parent	e3d882ad4ab271bbfe9183371637f76591c1fea6 [diff] [blame]