Merge fix IOTSSL-475 Potential buffer overflow

Two possible integer overflows (during << 2 or addition in BITS_TO_LIMB()) could result in far too few memory to be allocated, then overflowing the buffer in the subsequent for loop. Both integer overflows happen when slen is close to or greater than SIZE_T_MAX >> 2 (ie 2^30 on a 32 bit system). Note: one could also avoid those overflows by changing BITS_TO_LIMB(s << 2) to CHARS_TO_LIMB(s >> 1) but the solution implemented looks more robust with respect to future code changes.
2025-07-28 00:21:48 +03:00 · 2015-10-04 23:43:05 +01:00
parent d5ba4672b2 58fb49531d
commit e7f96f22ee
2 changed files with 12 additions and 2 deletions
--- a/library/bignum.c
+++ b/library/bignum.c
@ -38,6 +38,7 @@
 #include "mbedtls/bn_mul.h"

 #include <string.h>
+#include <limits.h>

 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
@ -60,9 +61,10 @@ static void mbedtls_zeroize( void *v, size_t n ) {

 /*
 * Convert between bits/chars and number of limbs
+ * Divide first in order to avoid potential overflows
 */
-#define BITS_TO_LIMBS(i)  (((i) + biL - 1) / biL)
-#define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
+#define BITS_TO_LIMBS(i)  ( (i) / biL + ( (i) % biL != 0 ) )
+#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )

 /*
 * Initialize one MPI
@ -409,6 +411,9 @@ int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )

    if( radix == 16 )
    {
+        if( slen > SIZE_T_MAX >> 2 )
+            return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
        n = BITS_TO_LIMBS( slen << 2 );

        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );