diff options
| author | Manuel Pégourié-Gonnard <mpg2@elzevir.fr> | 2015-09-28 18:27:15 +0200 |
|---|---|---|
| committer | Manuel Pégourié-Gonnard <mpg2@elzevir.fr> | 2015-10-01 17:00:22 +0200 |
| commit | b73ce45b3f87672f5dfcc4e136ae8e9771c5552d (patch) | |
| tree | 9727781ce362445bb25b5167f1a6f0a26cc5ef33 | |
| parent | 9b75305d6a77383ddcacea46106aac55513d4a9e (diff) | |
| download | mbedtls-b73ce45b3f87672f5dfcc4e136ae8e9771c5552d.zip mbedtls-b73ce45b3f87672f5dfcc4e136ae8e9771c5552d.tar.gz mbedtls-b73ce45b3f87672f5dfcc4e136ae8e9771c5552d.tar.bz2 | |
Fix potential random malloc in pem_read()
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | library/base64.c | 3 | ||||
| -rw-r--r-- | library/pem.c | 3 |
3 files changed, 10 insertions, 0 deletions
@@ -11,6 +11,10 @@ Security but might be in other uses. On 32 bit machines, requires reading a string of close to or larger than 1GB to exploit; on 64 bit machines, would require reading a string of close to or larger than 2^62 bytes. + * Fix potential random memory allocation in mbedtls_pem_read_buffer() + on crafted PEM input data. Found an fix provided by Guid Vranken. + Not triggerable remotely in TLS. Triggerable remotely if you accept PEM + data from an untrusted source. = Version 1.2.16 released 2015-09-17 diff --git a/library/base64.c b/library/base64.c index c94995b..dba4c23 100644 --- a/library/base64.c +++ b/library/base64.c @@ -176,7 +176,10 @@ int base64_decode( unsigned char *dst, size_t *dlen, } if( n == 0 ) + { + *dlen = 0; return( 0 ); + } n = ((n * 6) + 7) >> 3; n -= j; diff --git a/library/pem.c b/library/pem.c index 5c973ac..81098ee 100644 --- a/library/pem.c +++ b/library/pem.c @@ -287,6 +287,9 @@ int pem_read_buffer( pem_context *ctx, char *header, char *footer, const unsigne #endif /* POLARSSL_MD5_C && (POLARSSL_AES_C || POLARSSL_DES_C) */ } + if( s1 == s2 ) + return( POLARSSL_ERR_PEM_INVALID_DATA ); + len = 0; ret = base64_decode( NULL, &len, s1, s2 - s1 ); |