commit 42a1acfd0e100035f71e7112935a115136d6b90c
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Jan 21 16:12:07 2020 +0100
committer Gilles Peskine <Gilles.Peskine@arm.com> Tue Jan 21 16:12:07 2020 +0100
tree 718ea8b91d1f79abce643192bea045f8e2f135ef
parent a2bdcb9e3ae86ce01f6e33067a1f5d16860f0008

get_len_step: Fix end-of-buffer calculation when buffer_size==0

Fix get_len_step when buffer_size==0. The intent of this test is to
ensure (via static or runtime buffer overflow analysis) that
mbedtls_asn1_get_len does not attempt to access beyond the end of the
buffer. When buffer_size is 0 (reached from get_len when parsing a
1-byte buffer), the buffer is buf[1..1] because allocating a 0-byte
buffer might yield a null pointer rather than a valid pointer. In this
case the end of the buffer is p==buf+1, not buf+buffer_size which is
buf+0.

The test passed because calling mbedtls_asn1_get_len(&p,end,...) with
end < p happens to work, but this is not guaranteed.

tests/suites/test_suite_asn1parse.function

diff --git a/tests/suites/test_suite_asn1parse.function b/tests/suites/test_suite_asn1parse.function
index d747cc2..f07fd40 100644
--- a/tests/suites/test_suite_asn1parse.function
+++ b/tests/suites/test_suite_asn1parse.function
@@ -121,6 +121,7 @@
 {
     unsigned char *buf = NULL;
     unsigned char *p = NULL;
+    unsigned char *end;
     size_t parsed_length;
     int ret;
 
@@ -130,7 +131,8 @@
     if( buffer_size == 0 )
     {
         ASSERT_ALLOC( buf, 1 );
-        p = buf + 1;
+        end = buf + 1;
+        p = end;
     }
     else
     {
@@ -145,9 +147,10 @@
             memcpy( buf, input->x, buffer_size );
         }
         p = buf;
+        end = buf + buffer_size;
     }
 
-    ret = mbedtls_asn1_get_len( &p, buf + buffer_size, &parsed_length );
+    ret = mbedtls_asn1_get_len( &p, end, &parsed_length );
 
     if( buffer_size >= input->len + actual_length )
     {