Fix stack buffer overflow in pkcs12

2 files changed, 15 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 6f8181b..b496e02 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 PolarSSL ChangeLog
 
+= Version 1.2.16 released 2015-10-??
+
+Security
+   * Fix stack buffer overflow in pkcs12 decryption (used by
+     mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
+     Found by Guido Vranken. Not triggerable remotely.
+
 = Version 1.2.16 released 2015-09-17
 
 Security
diff --git a/library/pkcs12.c b/library/pkcs12.c
index 8e42d20..498a3fe 100644
--- a/library/pkcs12.c
+++ b/library/pkcs12.c
@@ -80,6 +80,8 @@ static int pkcs12_parse_pbe_params( unsigned char **p,
     return( 0 );
 }
 
+#define PKCS12_MAX_PWDLEN 128
+
 static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
                                      const unsigned char *pwd,  size_t pwdlen,
                                      unsigned char *key, size_t keylen,
@@ -89,7 +91,10 @@ static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
     asn1_buf salt;
     size_t i;
     unsigned char *p, *end;
-    unsigned char unipwd[258];
+    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+    if( pwdlen > PKCS12_MAX_PWDLEN )
+        return( POLARSSL_ERR_PKCS12_BAD_INPUT_DATA );
 
     memset(&salt, 0, sizeof(asn1_buf));
     memset(&unipwd, 0, sizeof(unipwd));
@@ -122,6 +127,8 @@ static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
     return( 0 );
 }
 
+#undef PKCS12_MAX_PWDLEN
+
 int pkcs12_pbe_sha1_rc4_128( asn1_buf *pbe_params, int mode,
                              const unsigned char *pwd,  size_t pwdlen,
                              const unsigned char *data, size_t len,