commit b134060f90ee0e47a63a36f0c36334edeed4a110
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Nov 11 23:11:16 2014 +0100
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Nov 12 00:01:52 2014 +0100
tree 8b9a7fbf6b55f45b695a776e967089d3b088f67f
parent 0369a5291b525d2739e4ccb388761baaee86793f

Fix memory leak with crafted X.509 certs

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 9821551..f06f582 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@
    * Fix remotely-triggerable uninitialised pointer dereference caused by
      crafted X.509 certificate (server is not affected if it doesn't ask for a
      client certificate) (found using Codenomicon Defensics).
+   * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
+     (server is not affected if it doesn't ask for a client certificate)
+     (found using Codenomicon Defensics).
 
 Features
    * Add function pk_check_pair() to test if public and private keys match.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 88d7f04..525d250 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -359,6 +359,9 @@
         /* Allocate and assign next pointer */
         if( cur->buf.p != NULL )
         {
+            if( cur->next != NULL )
+                return( POLARSSL_ERR_X509_INVALID_EXTENSIONS );
+
             cur->next = (asn1_sequence *) polarssl_malloc(
                  sizeof( asn1_sequence ) );
 

tests/suites/test_suite_x509parse.data

diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index c2bb7f3..b7f6791 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -873,6 +873,10 @@
 depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
 x509parse_crt:"3081de3081dba003020102020900ebdbcd14105e1839300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313230353935345a170d3234313130383230353935345a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d250416301406082b0601050507030107082b06010505070302":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
 
+X509 Certificate ASN1 (SubjectAltName repeated)
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS
+
 X509 Certificate ASN1 (correct pubkey, no sig_alg)
 depends_on:POLARSSL_RSA_C
 x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA