mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-30 22:43:08 +03:00
Merge pull request #1347 from mpg/fix-asn1-store-named-data-null-deref-3.6
Backport 3.6: Fix asn1 store named data null deref
This commit is contained in:
5
ChangeLog.d/fix-asn1write-raw-buffer.txt
Normal file
5
ChangeLog.d/fix-asn1write-raw-buffer.txt
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
Bugfix
|
||||||
|
* When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two
|
||||||
|
arguments, undefined behaviour would be triggered, in the form of a call to
|
||||||
|
memcpy(..., NULL, 0). This was harmless in practice, but could trigger
|
||||||
|
complains from sanitizers or static analyzers.
|
12
ChangeLog.d/fix-string-to-names-store-named-data.txt
Normal file
12
ChangeLog.d/fix-string-to-names-store-named-data.txt
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
Security
|
||||||
|
* Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
|
||||||
|
an item in the output list in an inconsistent state with val.p == NULL but
|
||||||
|
val.len > 0. This impacts applications that call this function directly,
|
||||||
|
or indirectly via mbedtls_x509_string_to_names() or one of the
|
||||||
|
mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions. The
|
||||||
|
inconsistent state of the output could then cause a NULL dereference either
|
||||||
|
inside the same call to mbedtls_x509_string_to_names(), or in subsequent
|
||||||
|
users of the output structure, such as mbedtls_x509_write_names(). This
|
||||||
|
only affects applications that create (as opposed to consume) X.509
|
||||||
|
certificates, CSRs or CRLS, or that call mbedtls_asn1_store_named_data()
|
||||||
|
directly. Found by Linh Le and Ngan Nguyen from Calif.
|
@ -90,7 +90,9 @@ int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
|
|||||||
|
|
||||||
len = size;
|
len = size;
|
||||||
(*p) -= len;
|
(*p) -= len;
|
||||||
memcpy(*p, buf, len);
|
if (len != 0) {
|
||||||
|
memcpy(*p, buf, len);
|
||||||
|
}
|
||||||
|
|
||||||
return (int) len;
|
return (int) len;
|
||||||
}
|
}
|
||||||
@ -412,6 +414,7 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
|
|||||||
} else if (val_len == 0) {
|
} else if (val_len == 0) {
|
||||||
mbedtls_free(cur->val.p);
|
mbedtls_free(cur->val.p);
|
||||||
cur->val.p = NULL;
|
cur->val.p = NULL;
|
||||||
|
cur->val.len = 0;
|
||||||
} else if (cur->val.len != val_len) {
|
} else if (cur->val.len != val_len) {
|
||||||
/*
|
/*
|
||||||
* Enlarge existing value buffer if needed
|
* Enlarge existing value buffer if needed
|
||||||
|
@ -550,6 +550,9 @@ void store_named_data_val_found(int old_len, int new_len)
|
|||||||
}
|
}
|
||||||
if (new_len == 0) {
|
if (new_len == 0) {
|
||||||
TEST_ASSERT(found->val.p == NULL);
|
TEST_ASSERT(found->val.p == NULL);
|
||||||
|
/* If new_len != 0, then new_val != NULL and the length has been checked
|
||||||
|
* above by TEST_MEMORY_COMPARE(). But not here, so we need to check. */
|
||||||
|
TEST_EQUAL(found->val.len, 0);
|
||||||
} else if (new_len == old_len) {
|
} else if (new_len == old_len) {
|
||||||
TEST_ASSERT(found->val.p == old_val);
|
TEST_ASSERT(found->val.p == old_val);
|
||||||
} else {
|
} else {
|
||||||
@ -583,8 +586,10 @@ void store_named_data_val_new(int new_len, int set_new_val)
|
|||||||
TEST_MEMORY_COMPARE(found->oid.p, found->oid.len, oid, oid_len);
|
TEST_MEMORY_COMPARE(found->oid.p, found->oid.len, oid, oid_len);
|
||||||
if (new_len == 0) {
|
if (new_len == 0) {
|
||||||
TEST_ASSERT(found->val.p == NULL);
|
TEST_ASSERT(found->val.p == NULL);
|
||||||
|
TEST_EQUAL(found->val.len, 0);
|
||||||
} else if (new_val == NULL) {
|
} else if (new_val == NULL) {
|
||||||
TEST_ASSERT(found->val.p != NULL);
|
TEST_ASSERT(found->val.p != NULL);
|
||||||
|
TEST_EQUAL(found->val.len, new_len);
|
||||||
} else {
|
} else {
|
||||||
TEST_ASSERT(found->val.p != new_val);
|
TEST_ASSERT(found->val.p != new_val);
|
||||||
TEST_MEMORY_COMPARE(found->val.p, found->val.len,
|
TEST_MEMORY_COMPARE(found->val.p, found->val.len,
|
||||||
|
@ -254,6 +254,27 @@ mbedtls_x509_string_to_names:"C=NL, O=Of\\CCspark, OU=PolarSSL":"C=NL, O=Of\\CCs
|
|||||||
X509 String to Names #20 (Reject empty AttributeValue)
|
X509 String to Names #20 (Reject empty AttributeValue)
|
||||||
mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME:0
|
mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME:0
|
||||||
|
|
||||||
|
# Note: the behaviour is incorrect, output from string->names->string should be
|
||||||
|
# the same as the input, rather than just the last component, see
|
||||||
|
# https://github.com/Mbed-TLS/mbedtls/issues/10189
|
||||||
|
# Still including tests for the current incorrect behaviour because of the
|
||||||
|
# variants below where we want to ensure at least that no memory corruption
|
||||||
|
# happens (which would be a lot worse than just a functional bug).
|
||||||
|
X509 String to Names (repeated OID)
|
||||||
|
mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=ef":"CN=ef":0:0
|
||||||
|
|
||||||
|
# Note: when a value starts with a # sign, it's treated as the hex encoding of
|
||||||
|
# the DER encoding of the value. Here, 0400 is a zero-length OCTET STRING.
|
||||||
|
# The tag actually doesn't matter for our purposes, only the length.
|
||||||
|
X509 String to Names (repeated OID, 1st is zero-length)
|
||||||
|
mbedtls_x509_string_to_names:"CN=#0400,CN=cd,CN=ef":"CN=ef":0:0
|
||||||
|
|
||||||
|
X509 String to Names (repeated OID, middle is zero-length)
|
||||||
|
mbedtls_x509_string_to_names:"CN=ab,CN=#0400,CN=ef":"CN=ef":0:0
|
||||||
|
|
||||||
|
X509 String to Names (repeated OID, last is zero-length)
|
||||||
|
mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=#0400":"CN=#0000":0:MAY_FAIL_GET_NAME
|
||||||
|
|
||||||
X509 Round trip test (Escaped characters)
|
X509 Round trip test (Escaped characters)
|
||||||
mbedtls_x509_string_to_names:"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":0:0
|
mbedtls_x509_string_to_names:"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":0:0
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user