lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Merge pull request #297 from gilles-peskine-arm/asn1_get_int-undefined_shift

Browse Source 
Fix int overflow in mbedtls_asn1_get_int
This commit is contained in:
Gilles Peskine
2019-10-11 17:31:16 +02:00
committed by GitHub
parent e5e9081b76 37570e8152
commit 3cdb3da3a0
3 changed files with 160 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
library/asn1parse.c
View File

@ -149,16 +149,26 @@ int mbedtls_asn1_get_int( unsigned char **p,
if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
return( ret );
if( len == 0 || ( **p & 0x80 ) != 0 )
/* len==0 is malformed (0 must be represented as 020100). */
if( len == 0 )
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
/* This is a cryptography library. Reject negative integers. */
if( ( **p & 0x80 ) != 0 )
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
/* Skip leading zeros. */
while( len > 0 && **p == 0 )
{
++( *p );
--len;
}
/* Reject integers that don't fit in an int. This code assumes that
* the int type has no padding bit. */
if( len > sizeof( int ) )
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
if( len == sizeof( int ) && ( **p & 0x80 ) != 0 )
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
*val = 0;
while( len-- > 0 )