-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix segfault in mbedtls_oid_get_numeric_string
When passed an empty OID, mbedtls_oid_get_numeric_string would read one byte from the zero-sized buffer and return an error code that depends on its value. This is demonstrated by the test suite changes, which check that an OID with length zero and an invalid buffer pointer does not cause Mbed TLS to segfault. Also check that second and subsequent subidentifiers are terminated, and add a test case for that. Furthermore, stop relying on integer division by 40, use the same loop for both the first and subsequent subidentifiers, and add additional tests. Signed-off-by: Demi Marie Obenour <[email protected]>
- Loading branch information
Showing
4 changed files
with
75 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
Security: | ||
* Fix a 1-byte out-of-bounds read in mbedtls_oid_get_numeric_string() when | ||
called on the empty input. The only information returned to the caller | ||
is whether byte 1 (of the 0-length OID) is 0x80 or not. This bug | ||
appeared in the development and 2.28 branches, but was caught by Demi | ||
Marie Obenour before it appeared in the master branch or in any release | ||
tags, so no CVE has been assigned. | ||
|
||
Bugfix: | ||
* If mbedtls_oid_get_numeric_string() is called with a length greater than | ||
INT_MAX, fail instead of returning an incorrect length. | ||
* Fail (with MBEDTLS_ERR_ASN1_OUT_OF_DATA) if the second or subsequent | ||
subidentifier in an OID passed to mbedtls_oid_get_numeric_string() is not | ||
terminated. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters