Add test for bounds in X509 DER write funcs

commit: e0af995f1275da47a42b520df0d7d872f20cd26d [log] [tgz]
author: Andres AG <andres.amayagarcia@arm.com> Wed Sep 07 11:09:44 2016 +0100
committer: Simon Butcher <simon.butcher@arm.com> Tue Oct 11 14:07:48 2016 +0100
tree: 4f5923c5463ee026cd67ad524d2f2cba09263095
parent: 60dbc9383109f2609776acbdacc7b19dba036dcc [diff]
diff --git a/ChangeLog b/ChangeLog
index afef2dd..d4c82e0 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -5,8 +5,8 @@
 Security
    * Fix potential stack corruption in mbedtls_x509write_crt_der() and
      mbedtls_x509write_csr_der() when the signature is copied to the buffer
-     without checking whether there is enough space in the destination. It is
-     not triggerable remotely in SSL/TLS.
+     without checking whether there is enough space in the destination. The
+     issue cannot be triggered remotely.
 
 Features
    * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by

diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index c3773ba..89be31f 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function

@@ -16,10 +16,11 @@
 {
     mbedtls_pk_context key;
     mbedtls_x509write_csr req;
-    unsigned char buf[4000];
+    unsigned char buf[4096];
     unsigned char check_buf[4000];
     int ret;
     size_t olen = 0, pem_len = 0;
+    int der_len = -1;
     FILE *f;
     const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
     rnd_pseudo_info rnd_info;
@@ -52,6 +53,17 @@
     TEST_ASSERT( olen >= pem_len - 1 );
     TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
 
+    der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ),
+                            rnd_pseudo_rand, &rnd_info );
+    TEST_ASSERT( der_len >= 0 );
+
+    if( der_len == 0 )
+        goto exit;
+
+    ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len - 1 ),
+                            rnd_pseudo_rand, &rnd_info );
+    TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
 exit:
     mbedtls_x509write_csr_free( &req );
     mbedtls_pk_free( &key );
@@ -68,11 +80,12 @@
 {
     mbedtls_pk_context subject_key, issuer_key;
     mbedtls_x509write_cert crt;
-    unsigned char buf[4000];
+    unsigned char buf[4096];
     unsigned char check_buf[5000];
     mbedtls_mpi serial;
     int ret;
     size_t olen = 0, pem_len = 0;
+    int der_len = -1;
     FILE *f;
     rnd_pseudo_info rnd_info;
 
@@ -125,6 +138,17 @@
     TEST_ASSERT( olen >= pem_len - 1 );
     TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
 
+    der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
+                            rnd_pseudo_rand, &rnd_info );
+    TEST_ASSERT( der_len >= 0 );
+
+    if( der_len == 0 )
+        goto exit;
+
+    ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
+                            rnd_pseudo_rand, &rnd_info );
+    TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
 exit:
     mbedtls_x509write_crt_free( &crt );
     mbedtls_pk_free( &issuer_key );
commit	e0af995f1275da47a42b520df0d7d872f20cd26d	[log] [tgz]
author	Andres AG <andres.amayagarcia@arm.com>	Wed Sep 07 11:09:44 2016 +0100
committer	Simon Butcher <simon.butcher@arm.com>	Tue Oct 11 14:07:48 2016 +0100
tree	4f5923c5463ee026cd67ad524d2f2cba09263095
parent	60dbc9383109f2609776acbdacc7b19dba036dcc [diff]