arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-04-21 10:26:06 +03:00
Code

Fix in asn1_get_printable string

Browse Source 
Buffer overflow vulnerability in proc.c
Possible double memory release on invalid certificates.


git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@221 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich 2012-02-10 10:31:02 +00:00
parent 1378f8a78f
commit ffa4da45ee
5 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
crypto/crypto_misc.c
View File

@ -348,13 +348,15 @@ EXP_FUNC int STDCALL base64_decode(const char *in, int len,
y = t = 0;
}
if (z >= *outlen) /* check that we don't go past the output buffer */
goto error;
}
if (y != 0)
goto error;
if (outlen)
*outlen = z;
*outlen = z;
ret = 0;
error:

8
httpd/proc.c
View File

@ -152,7 +152,7 @@ static int procheadelem(struct connstruct *cn, char *buf)
else if (strcasecmp(buf, "Authorization:") == 0 &&
strncmp(value, "Basic ", 6) == 0)
{
int size;
int size = sizeof(cn->authorization);
if (base64_decode(&value[6], strlen(&value[6]),
(uint8_t *)cn->authorization, &size))
cn->authorization[0] = 0; /* error */
@ -1051,7 +1051,8 @@ static int check_digest(char *salt, const char *msg_passwd)
{
uint8_t b256_salt[MAXREQUESTLENGTH];
uint8_t real_passwd[MD5_SIZE];
int salt_size;
int salt_size = sizeof(b256_salt);
int password_size = sizeof(real_passwd);
char *b64_passwd;
uint8_t md5_result[MD5_SIZE];
MD5_CTX ctx;
@ -1064,7 +1065,8 @@ static int check_digest(char *salt, const char *msg_passwd)
if (base64_decode(salt, strlen(salt), b256_salt, &salt_size))
return -1;
if (base64_decode(b64_passwd, strlen(b64_passwd), real_passwd, NULL))
if (base64_decode(b64_passwd, strlen(b64_passwd), real_passwd,
&password_size))
return -1;
/* very simple MD5 crypt algorithm, but then the salt we use is large */

17
ssl/asn1.c
View File

@ -288,19 +288,20 @@ end_oid:
static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)
{
int len = X509_NOT_OK;
int asn1_type = buf[*offset];
/* some certs have this awful crud in them for some reason */
if (buf[*offset] != ASN1_PRINTABLE_STR &&
buf[*offset] != ASN1_PRINTABLE_STR2 &&
buf[*offset] != ASN1_TELETEX_STR &&
buf[*offset] != ASN1_IA5_STR &&
buf[*offset] != ASN1_UNICODE_STR)
if (buf[asn1_type] != ASN1_PRINTABLE_STR &&
buf[asn1_type] != ASN1_PRINTABLE_STR2 &&
buf[asn1_type] != ASN1_TELETEX_STR &&
buf[asn1_type] != ASN1_IA5_STR &&
buf[asn1_type] != ASN1_UNICODE_STR)
goto end_pnt_str;
(*offset)++;
len = get_asn1_length(buf, offset);
if (buf[*offset - 1] == ASN1_UNICODE_STR)
if (buf[asn1_type - 1] == ASN1_UNICODE_STR)
{
int i;
*str = (char *)malloc(len/2+1); /* allow for null */
@ -330,7 +331,7 @@ int asn1_name(const uint8_t *cert, int *offset, char *dn[])
{
int ret = X509_NOT_OK;
int dn_type;
char *tmp = NULL;
char *tmp;
if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
goto end_name;
@ -343,6 +344,8 @@ int asn1_name(const uint8_t *cert, int *offset, char *dn[])
(dn_type = asn1_get_oid_x520(cert, offset)) < 0)
goto end_name;
tmp = NULL;
if (asn1_get_printable_str(cert, offset, &tmp) < 0)
{
free(tmp);

13
ssl/loader.c
View File

@ -259,6 +259,7 @@ static int pem_decrypt(const char *where, const char *end,
/* turn base64 into binary */
pem_size = (int)(end-start);
ssl_obj->len = sizeof(ssl_obj->buf);
if (base64_decode(start, pem_size, ssl_obj->buf, &ssl_obj->len) != 0)
goto error;
@ -326,11 +327,15 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
goto error;
}
}
else if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0)
else
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
ssl_obj->len = pem_size;
if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
}
switch (i)

2
www/index.html
View File

File diff suppressed because one or more lines are too long