Merge pull request #259 from k-stachowiak/bounds-check-asn1-len

Check `len` against buffers size upper bound in PSA tests
This commit is contained in:
Gilles Peskine 2019-10-29 17:47:47 +01:00 committed by GitHub
commit ccde952df0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -736,6 +736,11 @@ int asn1_skip_integer( unsigned char **p, const unsigned char *end,
TEST_EQUAL( mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_INTEGER ),
0 );
/* Check if the retrieved length doesn't extend the actual buffer's size.
* It is assumed here, that end >= p, which validates casting to size_t. */
TEST_ASSERT( len <= (size_t)( end - *p) );
/* Tolerate a slight departure from DER encoding:
* - 0 may be represented by an empty string or a 1-byte string.
* - The sign bit may be used as a value bit. */