Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
diff --git a/ChangeLog b/ChangeLog
index e64b8c2..29d806a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,12 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS 1.3.x
+= mbed TLS 1.3.x branch 2016-xx-xx
+
+Security
+ * Fix potential stack corruption in mbedtls_x509write_crt_der() and
+ mbedtls_x509write_csr_der() when the signature is copied to the buffer
+ without checking whether there is enough space in the destination. It is
+ not triggerable remotely in SSL/TLS.
Bugfix
* Fix an issue that caused valid certificates being rejected whenever an
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index 80913ec..23d46ee 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -408,6 +408,9 @@
ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
sig_oid, sig_oid_len, sig, sig_len ) );
+ if( len > (size_t)( c2 - buf ) )
+ return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
+
c2 -= len;
memcpy( c2, c, len );
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index c5a5875..1b3d2f5 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -214,6 +214,9 @@
ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
sig_oid, sig_oid_len, sig, sig_len ) );
+ if( len > (size_t)( c2 - buf ) )
+ return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
+
c2 -= len;
memcpy( c2, c, len );