TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d8a1ea72b1a78fe4ef4e89d139df08c4beef3728^! / .
commitd8a1ea72b1a78fe4ef4e89d139df08c4beef3728[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Mon Nov 17 12:04:51 2014 +0100
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Mon Nov 17 12:27:49 2014 +0100
tree620766bbc40a35f953081e5613c03e3792d3d1ae
parent309c798b2b39792173c043c1dd901aec070fe82f [diff]
Fix potential buffer overread of size 1

diff --git a/ChangeLog b/ChangeLog
index 59f5c8e..436b070 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -12,6 +12,8 @@
    * Fix potential stack overflow while parsing crafted X.509 certificates
      (TLS server is not affected if it doesn't ask for a client certificate)
      found using Codenomicon Defensics).
+   * Fix buffer overread of size 1 when parsing crafted X.509 certificates
+     (TLS server is not affected if it doesn't ask for a client certificate).
 
 Bugfix
    * Fix potential undefined behaviour in Camellia.

diff --git a/library/x509parse.c b/library/x509parse.c
index 9d62e9e..488ae8c 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c

@@ -193,6 +193,11 @@
         return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret );
 
     end = *p + len;
+
+    if( len < 1 )
+        return( POLARSSL_ERR_X509_CERT_INVALID_ALG +
+                POLARSSL_ERR_ASN1_OUT_OF_DATA );
+
     alg->tag = **p;
 
     if( ( ret = asn1_get_tag( p, end, &alg->len, ASN1_OID ) ) != 0 )
@@ -240,6 +245,11 @@
         return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
 
     oid = &cur->oid;
+
+    if( len < 1 )
+        return( POLARSSL_ERR_X509_CERT_INVALID_NAME +
+                POLARSSL_ERR_ASN1_OUT_OF_DATA );
+
     oid->tag = **p;
 
     if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )

diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 6fbc916..69fb9b1 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data

@@ -450,7 +450,7 @@
 x509parse_crt:"30223020a0030201028204deadbeef300d06092a864886f70d0101020500300431023000":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer two inner set datas)
-x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430003000":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
+x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430003000":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer no oid data)
 x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430020600":"":POLARSSL_ERR_X509_CERT_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA