Prevent signed integer overflow in CSR parsing Modify the function mbedtls_x509_csr_parse_der() so that it checks the parsed CSR version integer before it increments the value. This prevents a potential signed integer overflow, as these have undefined behaviour in the C standard.

commit: 642ea1f399ad9b3a2bd0358547ff4e966c66b908 [log] [tgz]
author: Andres AG <andres.amayagarcia@arm.com> Fri Feb 17 13:54:43 2017 +0000
committer: Simon Butcher <simon.butcher@arm.com> Wed Jul 26 17:19:59 2017 +0100
tree: 1a722b0cc9da9c06ca4a4cf37db91f9b3381feef
parent: 487b7a9efc0bfad52816d2dd8dddfb3ff5790148 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 8e9d174..42a74e1 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -46,6 +46,10 @@
      Reported and fix suggested by guidovranken in #740
    * Fix conditional preprocessor directives in bignum.h to enable 64-bit
      compilation when using ARM Compiler 6.
+   * Fix potential integer overflow in the version verification for DER
+     encoded X509 CSRs. The overflow would enable maliciously constructed CSRs
+     to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
+     KNOX Security, Samsung Research America
 
 Changes
    * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
commit	642ea1f399ad9b3a2bd0358547ff4e966c66b908	[log] [tgz]
author	Andres AG <andres.amayagarcia@arm.com>	Fri Feb 17 13:54:43 2017 +0000
committer	Simon Butcher <simon.butcher@arm.com>	Wed Jul 26 17:19:59 2017 +0100
tree	1a722b0cc9da9c06ca4a4cf37db91f9b3381feef
parent	487b7a9efc0bfad52816d2dd8dddfb3ff5790148 [diff] [blame]