Fix 1 byte overread in mbedtls_asn1_get_int()

commit: fbd1cd9d57075ee22c60aa03efe4b9e3eac0f65b [log] [tgz]
author: Andres AG <andres.amayagarcia@arm.com> Mon Sep 26 09:52:41 2016 +0100
committer: Simon Butcher <simon.butcher@arm.com> Wed Oct 12 17:45:29 2016 +0100
tree: f09180dbce48a51c2fdd4c42277ebec7bb3cde27
parent: 865c8996816945cfdc1aeab7921e85534c9ae223 [diff]
diff --git a/ChangeLog b/ChangeLog
index a217fa6..4430d75 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -12,6 +12,8 @@
      enabled unless others were also present. Found by David Fernandez. #428
    * Fixed cert_app sample program for debug output and for use when no root
      certificates are provided.
+   * Fix conditional statement that would cause a 1 byte overread in
+     mbedtls_asn1_get_int(). Found and fixed by Guido Vranken.
    * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
      builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
      by inestlerode. #559.

diff --git a/library/asn1parse.c b/library/asn1parse.c
index b37523d..36aff6e 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c

@@ -153,7 +153,7 @@
     if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
         return( ret );
 
-    if( len > sizeof( int ) || ( **p & 0x80 ) != 0 )
+    if( len == 0 || len > sizeof( int ) || ( **p & 0x80 ) != 0 )
         return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
 
     *val = 0;
commit	fbd1cd9d57075ee22c60aa03efe4b9e3eac0f65b	[log] [tgz]
author	Andres AG <andres.amayagarcia@arm.com>	Mon Sep 26 09:52:41 2016 +0100
committer	Simon Butcher <simon.butcher@arm.com>	Wed Oct 12 17:45:29 2016 +0100
tree	f09180dbce48a51c2fdd4c42277ebec7bb3cde27
parent	865c8996816945cfdc1aeab7921e85534c9ae223 [diff]