From 22c3b7b9dae1f5756635923d26f3df7f15e1d337 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Oct 2015 12:07:47 +0200 Subject: [PATCH 1/3] Fix potential buffer overflow in asn1write --- ChangeLog | 8 ++++++++ library/asn1write.c | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index aa96b1848..998baed0e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.2.R0released 2015-10-xx + +Security + * Fix potential buffer overflow in some asn1_write_xxx() functions. + Cannot be triggered remotely unless you create X.509 certificates based + on untrusted input or write keys of untrusted origin. Found by Guido + Vranken, Interlworks. + = mbed TLS 2.1.2 released 2015-10-06 Security diff --git a/library/asn1write.c b/library/asn1write.c index dd5a7455e..fd262a50b 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -87,7 +87,7 @@ int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start, { size_t len = 0; - if( *p - start < (int) size ) + if( *p < start || (size_t)( *p - start ) < size ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); len = size; @@ -107,7 +107,7 @@ int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedt // len = mbedtls_mpi_size( X ); - if( *p - start < (int) len ) + if( *p < start || (size_t)( *p - start ) < len ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); (*p) -= len; @@ -270,7 +270,7 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, // Calculate byte length // - if( *p - start < (int) size + 1 ) + if( *p < start || (size_t)( *p - start ) < size + 1 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); len = size + 1; From 4dc9b394d397e331f5c14f7e053aafaccc771321 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Oct 2015 12:23:09 +0200 Subject: [PATCH 2/3] Fix other occurrences of same bounds check issue Security impact is the same: not triggerrable remotely except in very specific use cases --- library/pkwrite.c | 2 +- library/x509_create.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/library/pkwrite.c b/library/pkwrite.c index 0a16eac72..83b798c11 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -96,7 +96,7 @@ static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start, return( ret ); } - if( *p - start < (int) len ) + if( *p < start || (size_t)( *p - start ) < len ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); *p -= len; diff --git a/library/x509_create.c b/library/x509_create.c index 3b773c02a..df20ec8eb 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -259,13 +259,16 @@ int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start, int ret; size_t len = 0; - if( *p - start < (int) size + 1 ) + if( *p < start || (size_t)( *p - start ) < size ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); len = size; (*p) -= len; memcpy( *p, sig, len ); + if( *p - start < 1 ) + return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + *--(*p) = 0; len += 1; From bc5e5088555036380e1da357c46889c0cfb1e788 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Oct 2015 12:35:29 +0200 Subject: [PATCH 3/3] Fix other int casts in bounds checking Not a security issue as here we know the buffer is large enough (unless something else if badly wrong in the code), and the value cast to int is less than 2^16 (again, unless issues elsewhere). Still changing to a more correct check as a matter of principle --- library/ssl_tls.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index da9f8bf45..d03ea024b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1095,11 +1095,16 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) { - if( end - p < 2 + (int) psk_len ) + if( end - p < 2 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); *(p++) = (unsigned char)( psk_len >> 8 ); *(p++) = (unsigned char)( psk_len ); + + if( end < p || (size_t)( end - p ) < psk_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + memset( p, 0, psk_len ); p += psk_len; } else @@ -1167,11 +1172,15 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch } /* opaque psk<0..2^16-1>; */ - if( end - p < 2 + (int) psk_len ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + if( end - p < 2 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); *(p++) = (unsigned char)( psk_len >> 8 ); *(p++) = (unsigned char)( psk_len ); + + if( end < p || (size_t)( end - p ) < psk_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + memcpy( p, psk, psk_len ); p += psk_len;