Merge branch 'iotssl-519-asn1write-overflows-restricted' into development-restricted
* iotssl-519-asn1write-overflows-restricted:
Fix other int casts in bounds checking
Fix other occurrences of same bounds check issue
Fix potential buffer overflow in asn1write
diff --git a/ChangeLog b/ChangeLog
index bfbc2ee..090f130 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
* Fix potential heap corruption on Windows when
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
triggered remotely. Found by Guido Vranken, Interlworks.
+ * Fix potential buffer overflow in some asn1_write_xxx() functions.
+ Cannot be triggered remotely unless you create X.509 certificates based
+ on untrusted input or write keys of untrusted origin. Found by Guido
+ Vranken, Interlworks.
* The X509 max_pathlen constraint was not enforced on intermediate
certificates. Found by Nicholas Wilson, fix and tests provided by
Janos Follath. #280 and #319
diff --git a/library/asn1write.c b/library/asn1write.c
index 849e8c1..456660d 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -87,7 +87,7 @@
{
size_t len = 0;
- if( *p - start < (int) size )
+ if( *p < start || (size_t)( *p - start ) < size )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size;
@@ -107,7 +107,7 @@
//
len = mbedtls_mpi_size( X );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -270,7 +270,7 @@
// Calculate byte length
//
- if( *p - start < (int) size + 1 )
+ if( *p < start || (size_t)( *p - start ) < size + 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size + 1;
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 0a16eac..83b798c 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -96,7 +96,7 @@
return( ret );
}
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*p -= len;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8969b4b..c18a3b4 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1105,11 +1105,16 @@
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
{
- if( end - p < 2 + (int) psk_len )
+ if( end - p < 2 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( psk_len >> 8 );
*(p++) = (unsigned char)( psk_len );
+
+ if( end < p || (size_t)( end - p ) < psk_len )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ memset( p, 0, psk_len );
p += psk_len;
}
else
@@ -1177,11 +1182,15 @@
}
/* opaque psk<0..2^16-1>; */
- if( end - p < 2 + (int) psk_len )
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ if( end - p < 2 )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( psk_len >> 8 );
*(p++) = (unsigned char)( psk_len );
+
+ if( end < p || (size_t)( end - p ) < psk_len )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
memcpy( p, psk, psk_len );
p += psk_len;
diff --git a/library/x509_create.c b/library/x509_create.c
index 3b773c0..df20ec8 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -259,13 +259,16 @@
int ret;
size_t len = 0;
- if( *p - start < (int) size + 1 )
+ if( *p < start || (size_t)( *p - start ) < size )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size;
(*p) -= len;
memcpy( *p, sig, len );
+ if( *p - start < 1 )
+ return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
*--(*p) = 0;
len += 1;