Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
Use own implementation of strsep()
Add Changelog entries for this branch
Use symbolic constants in test data
Fixed pathlen contraint enforcement.
Additional corner cases for testing pathlen constrains. Just in case.
Added test case for pathlen constrains in intermediate certificates
diff --git a/ChangeLog b/ChangeLog
index f440011..52c1bcb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,16 @@
= mbed TLS 1.3.15 released 2015-10-xx
Security
+ * Fix potential double free if ssl_set_psk() is called more than once and
+ some allocation fails. Cannot be forced remotely. Found by Guido Vranken,
+ Intelworks.
+ * Fix potential heap corruption on Windows when
+ x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+ triggered remotely. Found by Guido Vranken, Interlworks.
+ * Fix potential buffer overflow in some asn1_write_xxx() functions.
+ Cannot be triggered remotely unless you create X.509 certificates based
+ on untrusted input or write keys of untrusted origin. Found by Guido
+ Vranken, Interlworks.
* The X509 max_pathlen constraint was not enforced on intermediate
certificates. Found by Nicholas Wilson, fix and tests provided by
Janos Follath. #280 and #319
diff --git a/library/asn1write.c b/library/asn1write.c
index 92282b1..6a7c9d3 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -88,7 +88,7 @@
{
size_t len = 0;
- if( *p - start < (int) size )
+ if( *p < start || (size_t)( *p - start ) < size )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size;
@@ -108,7 +108,7 @@
//
len = mpi_size( X );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -271,7 +271,7 @@
// Calculate byte length
//
- if( *p - start < (int) size + 1 )
+ if( *p < start || (size_t)( *p - start ) < size + 1 )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size + 1;
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 35dbd0b..bb9514e 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -97,7 +97,7 @@
return( ret );
}
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
*p -= len;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 44e5582..d9eb0a9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -949,11 +949,16 @@
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
{
- if( end - p < 2 + (int) ssl->psk_len )
+ if( end - p < 2 )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( ssl->psk_len >> 8 );
*(p++) = (unsigned char)( ssl->psk_len );
+
+ if( end < p || (size_t)( end - p ) < ssl->psk_len )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+ memset( p, 0, ssl->psk_len );
p += ssl->psk_len;
}
else
@@ -1021,11 +1026,15 @@
}
/* opaque psk<0..2^16-1>; */
- if( end - p < 2 + (int) ssl->psk_len )
- return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+ if( end - p < 2 )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( ssl->psk_len >> 8 );
*(p++) = (unsigned char)( ssl->psk_len );
+
+ if( end < p || (size_t)( end - p ) < ssl->psk_len )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
memcpy( p, ssl->psk, ssl->psk_len );
p += ssl->psk_len;
@@ -4082,6 +4091,8 @@
{
polarssl_free( ssl->psk );
polarssl_free( ssl->psk_identity );
+ ssl->psk = NULL;
+ ssl->psk_identity = NULL;
}
if( ( ssl->psk = polarssl_malloc( psk_len ) ) == NULL ||
diff --git a/library/x509_create.c b/library/x509_create.c
index f505bab..b2cbdd4 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -265,13 +265,16 @@
int ret;
size_t len = 0;
- if( *p - start < (int) size + 1 )
+ if( *p < start || (size_t)( *p - start ) < size )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size;
(*p) -= len;
memcpy( *p, sig, len );
+ if( *p - start < 1 )
+ return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
+
*--(*p) = 0;
len += 1;
diff --git a/library/x509_crt.c b/library/x509_crt.c
index cb63b13..92a9b17 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -973,7 +973,7 @@
WCHAR szDir[MAX_PATH];
char filename[MAX_PATH];
char *p;
- int len = (int) strlen( path );
+ size_t len = strlen( path );
WIN32_FIND_DATAW file_data;
HANDLE hFind;
@@ -1007,7 +1007,7 @@
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
lstrlenW( file_data.cFileName ),
- p, len - 1,
+ p, (int) len - 1,
NULL, NULL );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_FILE_IO_ERROR );