From bc1babb38759446b93ec53d82f0ec961cffe1b5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 2 Oct 2015 11:16:47 +0200 Subject: [PATCH] Fix potential overflow in CertificateRequest --- ChangeLog | 6 ++++++ library/ssl_srv.c | 11 ++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 68b1255b9..57024a043 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,12 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.1.2 released 2015-10-xx +Security + * Fix potential heap buffer overflow in servers that perform client + authentication against a crafted CA cert. Cannot be triggered remotely + unless you allow third parties to pick trust CAs for client auth. + Found by Guido Vranken. + Changes * Fixed paths for check_config.h in example config files. (Found by bachp) (#291) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index b48a609ee..1bda53c46 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2351,6 +2351,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) size_t dn_size, total_dn_size; /* excluding length bytes */ size_t ct_len, sa_len; /* including length bytes */ unsigned char *buf, *p; + const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; const mbedtls_x509_crt *crt; int authmode; @@ -2471,10 +2472,14 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) total_dn_size = 0; while( crt != NULL && crt->version != 0 ) { - if( p - buf > 4096 ) - break; - dn_size = crt->subject_raw.len; + + if( end < p || (size_t)( end - p ) < 2 + dn_size ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); + break; + } + *p++ = (unsigned char)( dn_size >> 8 ); *p++ = (unsigned char)( dn_size ); memcpy( p, crt->subject_raw.p, dn_size );