From 4b20c0ee53854d9a8943130ede61bbdf4fdee806 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 16:16:38 +0200 Subject: [PATCH] Fix potential stack buffer overflow in ecjpake Two causes: - the buffer is too short (missing 4 bytes for encoding id_len) - the test was wrong Would only happen when MBEDTLS_ECP_MAX_BITS == the bitsize of the curve actually used (does not happen in the default config). Could not be triggered remotely. --- library/ecjpake.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index fd54a7d2d..1fa1c2d80 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -168,9 +168,9 @@ static int ecjpake_write_len_point( unsigned char **p, /* * Size of the temporary buffer for ecjpake_hash: - * 3 EC points plus their length, plus ID (6 bytes) + * 3 EC points plus their length, plus ID and its length (4 + 6 bytes) */ -#define ECJPAKE_HASH_BUF_LEN ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 6 ) +#define ECJPAKE_HASH_BUF_LEN ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 4 + 6 ) /* * Compute hash for ZKP (7.4.2.2.2.1) @@ -196,7 +196,7 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, V ) ); MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, X ) ); - if( end < p || (size_t)( end - p ) < id_len ) + if( end - p < 4 ) return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); *p++ = (unsigned char)( ( id_len >> 24 ) & 0xFF ); @@ -204,6 +204,9 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, *p++ = (unsigned char)( ( id_len >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( id_len ) & 0xFF ); + if( end < p || (size_t)( end - p ) < id_len ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + memcpy( p, id, id_len ); p += id_len;