1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00

Merge pull request #1347 from mpg/fix-asn1-store-named-data-null-deref-3.6

Backport 3.6: Fix asn1 store named data null deref
This commit is contained in:
Manuel Pégourié-Gonnard
2025-06-10 09:50:34 +02:00
committed by GitHub
5 changed files with 47 additions and 1 deletions

View File

@ -0,0 +1,5 @@
Bugfix
* When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two
arguments, undefined behaviour would be triggered, in the form of a call to
memcpy(..., NULL, 0). This was harmless in practice, but could trigger
complains from sanitizers or static analyzers.

View File

@ -0,0 +1,12 @@
Security
* Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
an item in the output list in an inconsistent state with val.p == NULL but
val.len > 0. This impacts applications that call this function directly,
or indirectly via mbedtls_x509_string_to_names() or one of the
mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions. The
inconsistent state of the output could then cause a NULL dereference either
inside the same call to mbedtls_x509_string_to_names(), or in subsequent
users of the output structure, such as mbedtls_x509_write_names(). This
only affects applications that create (as opposed to consume) X.509
certificates, CSRs or CRLS, or that call mbedtls_asn1_store_named_data()
directly. Found by Linh Le and Ngan Nguyen from Calif.

View File

@ -90,7 +90,9 @@ int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
len = size; len = size;
(*p) -= len; (*p) -= len;
memcpy(*p, buf, len); if (len != 0) {
memcpy(*p, buf, len);
}
return (int) len; return (int) len;
} }
@ -412,6 +414,7 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
} else if (val_len == 0) { } else if (val_len == 0) {
mbedtls_free(cur->val.p); mbedtls_free(cur->val.p);
cur->val.p = NULL; cur->val.p = NULL;
cur->val.len = 0;
} else if (cur->val.len != val_len) { } else if (cur->val.len != val_len) {
/* /*
* Enlarge existing value buffer if needed * Enlarge existing value buffer if needed

View File

@ -550,6 +550,9 @@ void store_named_data_val_found(int old_len, int new_len)
} }
if (new_len == 0) { if (new_len == 0) {
TEST_ASSERT(found->val.p == NULL); TEST_ASSERT(found->val.p == NULL);
/* If new_len != 0, then new_val != NULL and the length has been checked
* above by TEST_MEMORY_COMPARE(). But not here, so we need to check. */
TEST_EQUAL(found->val.len, 0);
} else if (new_len == old_len) { } else if (new_len == old_len) {
TEST_ASSERT(found->val.p == old_val); TEST_ASSERT(found->val.p == old_val);
} else { } else {
@ -583,8 +586,10 @@ void store_named_data_val_new(int new_len, int set_new_val)
TEST_MEMORY_COMPARE(found->oid.p, found->oid.len, oid, oid_len); TEST_MEMORY_COMPARE(found->oid.p, found->oid.len, oid, oid_len);
if (new_len == 0) { if (new_len == 0) {
TEST_ASSERT(found->val.p == NULL); TEST_ASSERT(found->val.p == NULL);
TEST_EQUAL(found->val.len, 0);
} else if (new_val == NULL) { } else if (new_val == NULL) {
TEST_ASSERT(found->val.p != NULL); TEST_ASSERT(found->val.p != NULL);
TEST_EQUAL(found->val.len, new_len);
} else { } else {
TEST_ASSERT(found->val.p != new_val); TEST_ASSERT(found->val.p != new_val);
TEST_MEMORY_COMPARE(found->val.p, found->val.len, TEST_MEMORY_COMPARE(found->val.p, found->val.len,

View File

@ -254,6 +254,27 @@ mbedtls_x509_string_to_names:"C=NL, O=Of\\CCspark, OU=PolarSSL":"C=NL, O=Of\\CCs
X509 String to Names #20 (Reject empty AttributeValue) X509 String to Names #20 (Reject empty AttributeValue)
mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME:0 mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME:0
# Note: the behaviour is incorrect, output from string->names->string should be
# the same as the input, rather than just the last component, see
# https://github.com/Mbed-TLS/mbedtls/issues/10189
# Still including tests for the current incorrect behaviour because of the
# variants below where we want to ensure at least that no memory corruption
# happens (which would be a lot worse than just a functional bug).
X509 String to Names (repeated OID)
mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=ef":"CN=ef":0:0
# Note: when a value starts with a # sign, it's treated as the hex encoding of
# the DER encoding of the value. Here, 0400 is a zero-length OCTET STRING.
# The tag actually doesn't matter for our purposes, only the length.
X509 String to Names (repeated OID, 1st is zero-length)
mbedtls_x509_string_to_names:"CN=#0400,CN=cd,CN=ef":"CN=ef":0:0
X509 String to Names (repeated OID, middle is zero-length)
mbedtls_x509_string_to_names:"CN=ab,CN=#0400,CN=ef":"CN=ef":0:0
X509 String to Names (repeated OID, last is zero-length)
mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=#0400":"CN=#0000":0:MAY_FAIL_GET_NAME
X509 Round trip test (Escaped characters) X509 Round trip test (Escaped characters)
mbedtls_x509_string_to_names:"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":0:0 mbedtls_x509_string_to_names:"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":0:0