mbedtls/library
Gilles Peskine 5dd5a491da x509_crl_parse: fix 1-byte buffer overflow and entry->raw.tag
In the entries (mbedtls_x509_crl_entry values) on the list constructed
by mbedtls_x509_crl_parse_der(), set entry->raw.tag to
(SEQUENCE | CONSTRUCTED) rather than to the tag of the first ASN.1
element of the entry (which happens to be the tag of the serial
number, so INTEGER or INTEGER | CONTEXT_SPECIFIC). This is doesn't
really matter in practice (and in particular the value is never used
in Mbed TLS itself), and isn't documented, but at least it's
consistent with how mbedtls_x509_buf is normally used.

The primary importance of this change is that the old code tried to
access the tag of the first element of the entry even when the entry
happened to be empty. If the entry was empty and not followed by
anything else in the CRL, this could cause a read 1 byte after the end
of the buffer containing the CRL.

The test case "X509 CRL ASN1 (TBSCertList, single empty entry at end)"
hit the problematic buffer overflow, which is detected with ASan.

Credit to OSS-Fuzz for detecting the problem.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-16 18:40:17 +02:00
..
.gitignore
aes.c Fix GCC format-signedness warnings 2020-04-22 16:01:48 +02:00
aesni.c
arc4.c
aria.c
asn1parse.c Replace use of uint8_t by unsigned char in ASN.1 seq traversal API 2020-02-03 10:39:55 +00:00
asn1write.c
base64.c
bignum.c Clean up some comments 2020-06-09 10:39:38 +02:00
blowfish.c
camellia.c
ccm.c
certs.c Revert "Remove unused TLS, NET, and X.509 files" 2020-03-19 13:36:33 +01:00
chacha20.c
chachapoly.c
cipher.c
cipher_wrap.c
cmac.c Fix GCC format-signedness warnings 2020-04-22 16:01:48 +02:00
CMakeLists.txt Bump version to Mbed TLS 2.23.0 2020-06-29 22:41:30 +01:00
common.h New header common.h; define MBEDTLS_STATIC_TESTABLE 2020-03-24 22:57:11 +01:00
ctr_drbg.c
debug.c Fix GCC format-signedness warnings 2020-04-22 16:01:48 +02:00
des.c
dhm.c
ecdh.c
ecdsa.c
ecjpake.c
ecp.c Add length check in ecp_drbg_seed() 2020-06-19 11:59:49 +02:00
ecp_curves.c
entropy.c
entropy_poll.c entropy: Adjust parameter type of internal function to avoid a cast 2020-06-24 17:16:33 +01:00
error.c Merge pull request #873 from hanno-arm/ssl_write_client_hello 2020-06-15 10:57:51 +02:00
gcm.c
havege.c
hkdf.c hkdf_expand: explicitly initialize t 2020-04-02 19:54:51 +02:00
hmac_drbg.c
Makefile Bump version to Mbed TLS 2.23.0 2020-06-29 22:41:30 +01:00
md.c Fix "same actions in two cases of a switch statement" warning 2020-04-20 13:56:09 +03:00
md2.c
md4.c
md5.c
memory_buffer_alloc.c
net_sockets.c net_sockets: Fix building on NetBSD 9.0 2020-06-11 14:05:25 +01:00
nist_kw.c
oid.c Fix GCC format-signedness warnings 2020-04-22 16:01:48 +02:00
padlock.c
pem.c
pk.c pk: USE_PSA_CRYPTO: don't translate via the TLS ID 2020-01-31 10:15:32 +01:00
pk_wrap.c Remove mbedtls_psa_translate_ecc_group 2020-01-31 10:15:32 +01:00
pkcs5.c
pkcs11.c Revert "Remove unused TLS, NET, and X.509 files" 2020-03-19 13:36:33 +01:00
pkcs12.c
pkparse.c Fix pkparse bug wrt MBEDTLS_RSA_ALT 2020-02-18 10:31:29 +01:00
pkwrite.c Change key types to a 16-bit encoding 2020-01-31 10:24:21 +01:00
platform.c
platform_util.c
poly1305.c
psa_crypto.c Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_core.h Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_invasive.h
psa_crypto_its.h Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_se.c Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_se.h Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_service_integration.h Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_slot_management.c Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_slot_management.h Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_storage.c Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
psa_crypto_storage.h
psa_its_file.c Add Apache-2.0 headers to all source files 2020-06-16 17:38:44 +02:00
ripemd160.c
rsa.c
rsa_internal.c
sha1.c
sha256.c
sha512.c
ssl_cache.c Revert "Remove unused TLS, NET, and X.509 files" 2020-03-19 13:36:33 +01:00
ssl_ciphersuites.c Rename identifiers containing double-underscore 2020-03-23 17:55:32 +01:00
ssl_cli.c ssl_client: Align line breaking with MBEDTLS_SSL_DEBUG_* 2020-06-11 09:34:06 +02:00
ssl_cookie.c Uniformize bounds checks using new macro 2020-05-29 15:07:00 +02:00
ssl_msg.c Use starts/finish around Lucky 13 dummy compressions 2020-06-15 11:55:53 +02:00
ssl_srv.c Merge pull request #3150 from irwir/fix_ssl_srv 2020-04-22 09:31:00 +02:00
ssl_ticket.c Uniformize bounds checks using new macro 2020-05-29 15:07:00 +02:00
ssl_tls.c Merge pull request #3405 from AndrzejKurek/variable-buffers-cid-serialization 2020-06-17 12:26:24 +01:00
threading.c
timing.c Add support for midipix, a POSIX layer for Microsoft Windows 2020-05-20 18:14:45 +00:00
version.c
version_features.c Add config.h option MBEDTLS_ECP_NO_INTERNAL_RNG 2020-06-08 09:09:20 +02:00
x509.c fix mbedtls_x509_dn_gets to escape non-ASCII characters 2020-05-21 01:56:55 +09:00
x509_create.c Revert "Remove unused TLS, NET, and X.509 files" 2020-03-19 13:36:33 +01:00
x509_crl.c x509_crl_parse: fix 1-byte buffer overflow and entry->raw.tag 2020-07-16 18:40:17 +02:00
x509_crt.c Pass "certificate policies" extension to callback 2020-06-17 17:55:29 +02:00
x509_csr.c Revert "Remove unused TLS, NET, and X.509 files" 2020-03-19 13:36:33 +01:00
x509write_crt.c Revert "Remove unused TLS, NET, and X.509 files" 2020-03-19 13:36:33 +01:00
x509write_csr.c Revert "Remove unused TLS, NET, and X.509 files" 2020-03-19 13:36:33 +01:00
xtea.c