Changelog for the fix to mbedtls_mpi_exp_mod(A=0)

In Mbed TLS 2.26.0, the bug was hard to trigger, since all methods for parsing a bignum (mbedtls_mpi_read_xxx functions) constructed an mbedtls_mpi object with at least one limb. In the development branch, after the commit "New internal function mbedtls_mpi_resize_clear", this bug could be triggered by a TLS server, by passing invalid custom Diffie-Hellman parameters with G=0 transmitted as a 0-length byte string. Since the behavior change in mbedtls_mpi_read_binary and mbedtls_mpi_read_binary_le (constructing 0 limbs instead of 1 when passed empty input) turned out to have consequences despite being in principle an internal detail, mention it in the changelog. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-09 18:55:57 +02:00 · 2021-06-09 18:55:57 +02:00 · 3008dde386
commit 3008dde386
parent 3da1a8ff39
1 changed files with 7 additions and 0 deletions
--- a/ChangeLog.d/mpi_exp_mod-zero.txt
+++ b/ChangeLog.d/mpi_exp_mod-zero.txt
@ -0,0 +1,7 @@
+Bugfix
+   * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
+     A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
+     could not be triggered by code that constructed A with one of the
+     mbedtls_mpi_read_xxx functions (including in particular TLS code) since
+     those always built an mpi object with at least one limb.
+     Credit to OSS-Fuzz. Fixes #4641.