mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-25 09:02:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Check for overflows when writing x509 SANs

Browse Source 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2023-04-27 08:25:41 -04:00
parent 5eebfb8fd0
commit 63a6a267a4
1 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
library/x509write_crt.c
View File

@ -36,6 +36,7 @@
#include "mbedtls/md.h" #include "mbedtls/md.h"
#include <string.h> #include <string.h>
#include <stdint.h>
#if defined(MBEDTLS_PEM_WRITE_C) #if defined(MBEDTLS_PEM_WRITE_C)
#include "mbedtls/pem.h" #include "mbedtls/pem.h"
@ -48,6 +49,16 @@
#include "hash_info.h" #include "hash_info.h"
#define CHECK_OVERFLOW_ADD(a, b) \
do \
{ \
if (a > SIZE_MAX - (b)) \
{ \
return MBEDTLS_ERR_X509_BAD_INPUT_DATA; \
} \
a += b; \
} while (0)
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx) void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
{ {
memset(ctx, 0, sizeof(mbedtls_x509write_cert)); memset(ctx, 0, sizeof(mbedtls_x509write_cert));
@ -175,7 +186,7 @@ int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *c
* maximum 4 bytes for the length field, * maximum 4 bytes for the length field,
* 1 byte for the tag/type. * 1 byte for the tag/type.
*/ */
buflen += cur->node.san.unstructured_name.len + 4 + 1; CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1);
break; break;
case MBEDTLS_X509_SAN_DIRECTORY_NAME: case MBEDTLS_X509_SAN_DIRECTORY_NAME:
{ {
@ -184,10 +195,10 @@ int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *c
// 5 bytes for OID, max 4 bytes for length, +1 for tag, // 5 bytes for OID, max 4 bytes for length, +1 for tag,
// additional 4 max for length, +1 for tag. // additional 4 max for length, +1 for tag.
// See x509_write_name for more information. // See x509_write_name for more information.
buflen += chunk->val.len + 5 + 4 + 1 + 4 + 1; CHECK_OVERFLOW_ADD(buflen, chunk->val.len + 5 + 4 + 1 + 4 + 1);
chunk = chunk->next; chunk = chunk->next;
} }
buflen += cur->node.san.unstructured_name.len + 4 + 1; CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1);
break; break;
} }
default: default:
@ -197,7 +208,7 @@ int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *c
} }
/* Add the extra length field and tag */ /* Add the extra length field and tag */
buflen += 4 + 1; CHECK_OVERFLOW_ADD(buflen, 4 + 1);
/* Allocate buffer */ /* Allocate buffer */
buf = mbedtls_calloc(1, buflen); buf = mbedtls_calloc(1, buflen);
@ -253,6 +264,11 @@ int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *c
goto cleanup; goto cleanup;
} }
cur = cur->next; cur = cur->next;
/* check for overflow */
if (len > SIZE_MAX - single_san_len) {
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
goto cleanup;
}
len += single_san_len; len += single_san_len;
} }