TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d177e3f5fca1c43cbabdc5cda8166af1b11356da^2..d177e3f5fca1c43cbabdc5cda8166af1b11356da / .
commitd177e3f5fca1c43cbabdc5cda8166af1b11356da[log] [tgz]
authorDavid Horstmann <david.horstmann@arm.com>Fri Jun 13 15:48:29 2025 +0100
committerGitHub <noreply@github.com>Fri Jun 13 15:48:29 2025 +0100
treede14e22be3e4f1377d3042a9c7781162d9dfeaa9
parent3a21cdfa5ce996eac6451c9b796c0658938734dd [diff]
parent67f63821a5f6027213f99e7e7f29c09a67a773c2 [diff]
Merge pull request #1356 from Mbed-TLS/bugfix_1351_1352_1353_lms_drivers

 Bugfix: lms/lmots driver hardening.
diff --git a/ChangeLog.d/fix-string-to-names-store-named-data.txt b/ChangeLog.d/fix-string-to-names-store-named-data.txt
new file mode 100644
index 0000000..e517cbb
--- /dev/null
+++ b/ChangeLog.d/fix-string-to-names-store-named-data.txt

@@ -0,0 +1,8 @@
+Security
+   * Fix a bug in mbedtls_x509_string_to_names() and the
+     mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions,
+     where some inputs would cause an inconsistent state to be reached, causing
+     a NULL dereference either in the function itself, or in subsequent
+     users of the output structure, such as mbedtls_x509_write_names(). This
+     only affects applications that create (as opposed to consume) X.509
+     certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif.

diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index e4e08da..4dcd967 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data

@@ -254,6 +254,27 @@
 X509 String to Names #20 (Reject empty AttributeValue)
 mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME:0
 
+# Note: the behaviour is incorrect, output from string->names->string should be
+# the same as the input, rather than just the last component, see
+# https://github.com/Mbed-TLS/mbedtls/issues/10189
+# Still including tests for the current incorrect behaviour because of the
+# variants below where we want to ensure at least that no memory corruption
+# happens (which would be a lot worse than just a functional bug).
+X509 String to Names (repeated OID)
+mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=ef":"CN=ef":0:0
+
+# Note: when a value starts with a # sign, it's treated as the hex encoding of
+# the DER encoding of the value. Here, 0400 is a zero-length OCTET STRING.
+# The tag actually doesn't matter for our purposes, only the length.
+X509 String to Names (repeated OID, 1st is zero-length)
+mbedtls_x509_string_to_names:"CN=#0400,CN=cd,CN=ef":"CN=ef":0:0
+
+X509 String to Names (repeated OID, middle is zero-length)
+mbedtls_x509_string_to_names:"CN=ab,CN=#0400,CN=ef":"CN=ef":0:0
+
+X509 String to Names (repeated OID, last is zero-length)
+mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=#0400":"CN=#0000":0:MAY_FAIL_GET_NAME
+
 X509 Round trip test (Escaped characters)
 mbedtls_x509_string_to_names:"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":0:0