Fix potential overflow in base64_encode
This commit is contained in:
parent
50a739f8c3
commit
0aa45c209a
@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
|||||||
|
|
||||||
= mbed TLS 2.1.1 released 2015-09-17
|
= mbed TLS 2.1.1 released 2015-09-17
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix possible heap buffer overflow in base64_encoded() when the input
|
||||||
|
buffer is 512MB or larger on 32-bit platforms.
|
||||||
|
Found by Guido Vranken. Not trigerrable remotely in TLS.
|
||||||
|
|
||||||
|
= mbed TLS 2.1.1 released 2015-09-17
|
||||||
|
|
||||||
Security
|
Security
|
||||||
* Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
|
* Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
|
||||||
signatures. (Found by Florian Weimer, Red Hat.)
|
signatures. (Found by Florian Weimer, Red Hat.)
|
||||||
|
@ -24,6 +24,7 @@
|
|||||||
#define MBEDTLS_BASE64_H
|
#define MBEDTLS_BASE64_H
|
||||||
|
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
|
#include <limits.h>
|
||||||
|
|
||||||
#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer too small. */
|
#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer too small. */
|
||||||
#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER -0x002C /**< Invalid character in input. */
|
#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER -0x002C /**< Invalid character in input. */
|
||||||
@ -44,6 +45,8 @@ extern "C" {
|
|||||||
* \return 0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
|
* \return 0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
|
||||||
* *olen is always updated to reflect the amount
|
* *olen is always updated to reflect the amount
|
||||||
* of data that has (or would have) been written.
|
* of data that has (or would have) been written.
|
||||||
|
* If that length cannot be represented, then no data is
|
||||||
|
* written to the buffer and *olen is set to SIZE_T_MAX.
|
||||||
*
|
*
|
||||||
* \note Call this function with dlen = 0 to obtain the
|
* \note Call this function with dlen = 0 to obtain the
|
||||||
* required buffer size in *olen
|
* required buffer size in *olen
|
||||||
|
@ -85,15 +85,16 @@ int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
n = ( slen << 3 ) / 6;
|
n = slen / 3 + ( slen % 3 != 0 );
|
||||||
|
|
||||||
switch( ( slen << 3 ) - ( n * 6 ) )
|
if( n > ( SIZE_T_MAX - 1 ) / 4 )
|
||||||
{
|
{
|
||||||
case 2: n += 3; break;
|
*olen = SIZE_T_MAX;
|
||||||
case 4: n += 2; break;
|
return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
|
||||||
default: break;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
n *= 4;
|
||||||
|
|
||||||
if( dlen < n + 1 )
|
if( dlen < n + 1 )
|
||||||
{
|
{
|
||||||
*olen = n + 1;
|
*olen = n + 1;
|
||||||
|
Loading…
Reference in New Issue
Block a user