Merge branch 'polarssl-1.2' into polarssl-1.2-restricted
* polarssl-1.2:
Use own implementation of strsep()
Add Changelog entries for this branch
Use symbolic constants in test data
Fixed pathlen contraint enforcement.
Additional corner cases for testing pathlen constrains
Added test case for pathlen constrains in intermediate certificates
diff --git a/ChangeLog b/ChangeLog
index e967075..d9a87f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,13 @@
= Version 1.2.18 released 2015-10-xx
Security
+ * Fix potential heap corruption on Windows when
+ x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+ triggered remotely. Found by Guido Vranken, Interlworks.
+ * Fix potential buffer overflow in some asn1_write_xxx() functions.
+ Cannot be triggered remotely unless you create X.509 certificates based
+ on untrusted input or write keys of untrusted origin. Found by Guido
+ Vranken, Interlworks.
* The X509 max_pathlen constraint was not enforced on intermediate
certificates. Found by Nicholas Wilson, fix and tests provided by
Janos Follath. #280 and #319
@@ -17,9 +24,9 @@
= Version 1.2.17 released 2015-10-06
Security
- * Fix for CVE-2015-5291. Possible heap buffer overflow in SSL if a very long
- hostname is used. Can be trigerred remotely if you accept hostnames from
- untrusted parties. Found by Guido Vranken, Intelworks.
+ * Fix for CVE-2015-5291 to prevent heap corruption due to buffer
+ overflow of the hostname or session ticket. Found by Guido Vranken,
+ Intelworks.
* Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by
Guido Vranken, Intelworks. Not triggerable remotely.
diff --git a/library/asn1write.c b/library/asn1write.c
index 3d6f101..6c520dc 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -78,7 +78,7 @@
//
len = mpi_size( X );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -127,7 +127,7 @@
//
len = strlen( oid );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -203,7 +203,7 @@
//
len = strlen( text );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -225,7 +225,7 @@
//
len = strlen( text );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
diff --git a/library/x509parse.c b/library/x509parse.c
index e88f86e..c9db3fa 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -1932,7 +1932,7 @@
WCHAR szDir[MAX_PATH];
char filename[MAX_PATH];
char *p;
- int len = strlen( path );
+ size_t len = strlen( path );
WIN32_FIND_DATAW file_data;
HANDLE hFind;
@@ -1947,7 +1947,7 @@
p = filename + len;
filename[len++] = '*';
- w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir, MAX_PATH - 3 );
+ w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int) len, szDir, MAX_PATH - 3 );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_INVALID_INPUT );
@@ -1965,7 +1965,7 @@
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
lstrlenW(file_data.cFileName),
- p, len - 1,
+ p, (int) len - 1,
NULL, NULL );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_FILE_IO_ERROR );