mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-24 07:38:08 +00:00
Prevent signed integer overflow in CSR parsing
Modify the function mbedtls_x509_csr_parse_der() so that it checks the parsed CSR version integer before it increments the value. This prevents a potential signed integer overflow, as these have undefined behaviour in the C standard.
This commit is contained in:
parent
80164741e1
commit
2e3ddfac5f
2 changed files with 7 additions and 3 deletions
|
@ -46,6 +46,10 @@ Bugfix
|
||||||
Reported and fix suggested by guidovranken in #740
|
Reported and fix suggested by guidovranken in #740
|
||||||
* Fix conditional preprocessor directives in bignum.h to enable 64-bit
|
* Fix conditional preprocessor directives in bignum.h to enable 64-bit
|
||||||
compilation when using ARM Compiler 6.
|
compilation when using ARM Compiler 6.
|
||||||
|
* Fix potential integer overflow in the version verification for DER
|
||||||
|
encoded X509 CSRs. The overflow would enable maliciously constructed CSRs
|
||||||
|
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
|
||||||
|
KNOX Security, Samsung Research America
|
||||||
|
|
||||||
Security
|
Security
|
||||||
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
|
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
|
||||||
|
|
|
@ -168,14 +168,14 @@ int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
csr->version++;
|
if( csr->version != 0 )
|
||||||
|
|
||||||
if( csr->version != 1 )
|
|
||||||
{
|
{
|
||||||
mbedtls_x509_csr_free( csr );
|
mbedtls_x509_csr_free( csr );
|
||||||
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
|
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
csr->version++;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* subject Name
|
* subject Name
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in a new issue