Merge branch 'polarssl-1.2' into polarssl-1.2-restricted
* polarssl-1.2:
Disable reportedly broken assembly of Sparc(64)
diff --git a/ChangeLog b/ChangeLog
index add1831..8e2fc6f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,15 @@
= Version 1.2.18 released 2015-10-xx
+Security
+ * Fix potential heap corruption on Windows when
+ x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+ triggered remotely. Found by Guido Vranken, Interlworks.
+ * Fix potential buffer overflow in some asn1_write_xxx() functions.
+ Cannot be triggered remotely unless you create X.509 certificates based
+ on untrusted input or write keys of untrusted origin. Found by Guido
+ Vranken, Interlworks.
+
Bugfix
* Fix failures in MPI on Sparc(64) due to use of bad assembly code.
Found by Kurt Danielson. #292
@@ -9,9 +18,9 @@
= Version 1.2.17 released 2015-10-06
Security
- * Fix for CVE-2015-5291. Possible heap buffer overflow in SSL if a very long
- hostname is used. Can be trigerred remotely if you accept hostnames from
- untrusted parties. Found by Guido Vranken, Intelworks.
+ * Fix for CVE-2015-5291 to prevent heap corruption due to buffer
+ overflow of the hostname or session ticket. Found by Guido Vranken,
+ Intelworks.
* Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by
Guido Vranken, Intelworks. Not triggerable remotely.
diff --git a/library/asn1write.c b/library/asn1write.c
index 3d6f101..6c520dc 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -78,7 +78,7 @@
//
len = mpi_size( X );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -127,7 +127,7 @@
//
len = strlen( oid );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -203,7 +203,7 @@
//
len = strlen( text );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -225,7 +225,7 @@
//
len = strlen( text );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
diff --git a/library/x509parse.c b/library/x509parse.c
index c98145b..11e7841 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -1932,7 +1932,7 @@
WCHAR szDir[MAX_PATH];
char filename[MAX_PATH];
char *p;
- int len = strlen( path );
+ size_t len = strlen( path );
WIN32_FIND_DATAW file_data;
HANDLE hFind;
@@ -1947,7 +1947,7 @@
p = filename + len;
filename[len++] = '*';
- w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir, MAX_PATH - 3 );
+ w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int) len, szDir, MAX_PATH - 3 );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_INVALID_INPUT );
@@ -1965,7 +1965,7 @@
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
lstrlenW(file_data.cFileName),
- p, len - 1,
+ p, (int) len - 1,
NULL, NULL );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_FILE_IO_ERROR );