Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the CRL version verification checks.
This commit is contained in:
parent
4d90d56dfe
commit
853c46c8d3
2 changed files with 7 additions and 3 deletions
|
@ -13,6 +13,10 @@ Bugfix
|
|||
Found by redplait #590
|
||||
* Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
|
||||
Reported and fix suggested by guidovranken in #740
|
||||
* Fix a potential integer overflow in the version verification for DER
|
||||
encoded X509 CRLs. The overflow would enable maliciously constructed CRLs
|
||||
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
|
||||
KNOX Security, Samsung Research America
|
||||
|
||||
Features
|
||||
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
|
||||
|
|
|
@ -352,14 +352,14 @@ int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
|
|||
return( ret );
|
||||
}
|
||||
|
||||
crl->version++;
|
||||
|
||||
if( crl->version > 2 )
|
||||
if( crl->version < 0 || crl->version > 1 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
|
||||
}
|
||||
|
||||
crl->version++;
|
||||
|
||||
if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
|
||||
&crl->sig_md, &crl->sig_pk,
|
||||
&crl->sig_opts ) ) != 0 )
|
||||
|
|
Loading…
Reference in a new issue