Fix integer overflows in buffer bound checks Fix potential integer overflows in the following functions: * mbedtls_md2_update() to be bypassed and cause * mbedtls_cipher_update() * mbedtls_ctr_drbg_reseed() This overflows would mainly be exploitable in 32-bit systems and could cause buffer bound checks to be bypassed.

commit: ef1329e4afb44ed55a0124b0c820d15e816b4fc4 [log] [tgz]
author: Andres Amaya Garcia <Andres.AmayaGarcia@arm.com> Tue Jan 17 23:24:02 2017 +0000
committer: Simon Butcher <simon.butcher@arm.com> Mon Feb 20 21:49:01 2017 +0000
tree: b7e163bed9bd670b1063fc409b14742ac3291c47
parent: 31ea513dce3a87fb5097825847f9ddfe3b3cde37 [diff] [blame]
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index aefddfa..646196e 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c

@@ -290,7 +290,8 @@
     unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
     size_t seedlen = 0;
 
-    if( ctx->entropy_len + len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+    if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
+        len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
         return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
 
     memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
commit	ef1329e4afb44ed55a0124b0c820d15e816b4fc4	[log] [tgz]
author	Andres Amaya Garcia <Andres.AmayaGarcia@arm.com>	Tue Jan 17 23:24:02 2017 +0000
committer	Simon Butcher <simon.butcher@arm.com>	Mon Feb 20 21:49:01 2017 +0000
tree	b7e163bed9bd670b1063fc409b14742ac3291c47
parent	31ea513dce3a87fb5097825847f9ddfe3b3cde37 [diff] [blame]