mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-25 13:43:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix overflow checks in x509write_crt

Browse Source 
Previous ones could still overflow.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2023-06-02 05:02:41 -04:00
parent 51cef9ce38
commit 7c86974d6d
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
library/x509write_crt.c
View File

@ -186,19 +186,23 @@ int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *c
* maximum 4 bytes for the length field, * maximum 4 bytes for the length field,
* 1 byte for the tag/type. * 1 byte for the tag/type.
*/ */
CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1); CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
CHECK_OVERFLOW_ADD(buflen, 4 + 1);
break; break;
case MBEDTLS_X509_SAN_DIRECTORY_NAME: case MBEDTLS_X509_SAN_DIRECTORY_NAME:
{ {
const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name; const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
while (chunk != NULL) { while (chunk != NULL) {
// 5 bytes for OID, max 4 bytes for length, +1 for tag, // Max 4 bytes for length, +1 for tag,
// additional 4 max for length, +1 for tag. // additional 4 max for length, +1 for tag.
// See x509_write_name for more information. // See x509_write_name for more information.
CHECK_OVERFLOW_ADD(buflen, chunk->val.len + 5 + 4 + 1 + 4 + 1); CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
chunk = chunk->next; chunk = chunk->next;
} }
CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1); CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
CHECK_OVERFLOW_ADD(buflen, 4 + 1);
break; break;
} }
default: default: