Fix potential heap corruption on Windows
If len is large enough, when cast to an int it will be negative and then the test if( len > MAX_PATH - 3 ) will not behave as expected.
This commit is contained in:
parent
cdea97c1c3
commit
261faed725
2 changed files with 9 additions and 2 deletions
|
@ -1,5 +1,12 @@
|
||||||
mbed TLS ChangeLog (Sorted per branch, date)
|
mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
|
= mbed TLS 2.2.0 released 2015-10-xx
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix potential heap corruption on Windows when
|
||||||
|
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
|
||||||
|
triggered remotely. Found by Guido Vranken, Interlworks.
|
||||||
|
|
||||||
= mbed TLS 2.1.2 released 2015-10-06
|
= mbed TLS 2.1.2 released 2015-10-06
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
|
@ -1097,7 +1097,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
|
||||||
WCHAR szDir[MAX_PATH];
|
WCHAR szDir[MAX_PATH];
|
||||||
char filename[MAX_PATH];
|
char filename[MAX_PATH];
|
||||||
char *p;
|
char *p;
|
||||||
int len = (int) strlen( path );
|
size_t len = strlen( path );
|
||||||
|
|
||||||
WIN32_FIND_DATAW file_data;
|
WIN32_FIND_DATAW file_data;
|
||||||
HANDLE hFind;
|
HANDLE hFind;
|
||||||
|
@ -1131,7 +1131,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
|
||||||
|
|
||||||
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
|
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
|
||||||
lstrlenW( file_data.cFileName ),
|
lstrlenW( file_data.cFileName ),
|
||||||
p, len - 1,
|
p, (int) len - 1,
|
||||||
NULL, NULL );
|
NULL, NULL );
|
||||||
if( w_ret == 0 )
|
if( w_ret == 0 )
|
||||||
return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
|
return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
|
||||||
|
|
Loading…
Reference in a new issue