Fix stack buffer overflow in pkcs12
diff --git a/ChangeLog b/ChangeLog
index 44f4408..735e443 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
mbed TLS ChangeLog (Sorted per branch, date)
+
+= mbed TLS 1.3.14 reladsed 2015-10-??
+
+Security
+ * Fix stack buffer overflow in pkcs12 decryption (used by
+ mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
+ Found by Guido Vranken. Not triggerable remotely.
+
= mbed TLS 1.3.13 reladsed 2015-09-17
Security
diff --git a/library/pkcs12.c b/library/pkcs12.c
index f84fd52..dff01a7 100644
--- a/library/pkcs12.c
+++ b/library/pkcs12.c
@@ -87,6 +87,8 @@
return( 0 );
}
+#define PKCS12_MAX_PWDLEN 128
+
static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
const unsigned char *pwd, size_t pwdlen,
unsigned char *key, size_t keylen,
@@ -95,7 +97,10 @@
int ret, iterations;
asn1_buf salt;
size_t i;
- unsigned char unipwd[258];
+ unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+ if( pwdlen > PKCS12_MAX_PWDLEN )
+ return( POLARSSL_ERR_PKCS12_BAD_INPUT_DATA );
memset( &salt, 0, sizeof(asn1_buf) );
memset( &unipwd, 0, sizeof(unipwd) );
@@ -126,6 +131,8 @@
return( 0 );
}
+#undef PKCS12_MAX_PWDLEN
+
int pkcs12_pbe_sha1_rc4_128( asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t len,