Potential buffer overwrite in pem_write_buffer() fixed
Length indication when given a too small buffer was off. Added regression test in test_suite_pem to detect this.
This commit is contained in:
parent
d6ad8e949b
commit
1630058dde
@ -42,6 +42,8 @@ Bugfix
|
||||
* dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
|
||||
* Calling pk_debug() on an RSA-alt key would segfault.
|
||||
* pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
|
||||
* Potential buffer overwrite in pem_write_buffer() because of low length
|
||||
indication (found by Thijs Alkemade)
|
||||
|
||||
= PolarSSL 1.3.5 released on 2014-03-26
|
||||
Features
|
||||
|
@ -382,10 +382,11 @@ int pem_write_buffer( const char *header, const char *footer,
|
||||
{
|
||||
int ret;
|
||||
unsigned char *encode_buf, *c, *p = buf;
|
||||
size_t len = 0, use_len = 0;
|
||||
size_t add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1;
|
||||
size_t len = 0, use_len = 0, add_len = 0;
|
||||
|
||||
base64_encode( NULL, &use_len, der_data, der_len );
|
||||
add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1;
|
||||
|
||||
if( use_len + add_len > buf_len )
|
||||
{
|
||||
*olen = use_len + add_len;
|
||||
|
@ -75,6 +75,7 @@ add_test_suite(md)
|
||||
add_test_suite(mdx)
|
||||
add_test_suite(mpi)
|
||||
add_test_suite(pbkdf2)
|
||||
add_test_suite(pem)
|
||||
add_test_suite(pkcs1_v21)
|
||||
add_test_suite(pkcs5)
|
||||
add_test_suite(pk)
|
||||
|
@ -58,6 +58,7 @@ APPS = test_suite_aes.ecb test_suite_aes.cbc \
|
||||
test_suite_hmac_drbg.pr \
|
||||
test_suite_md test_suite_mdx \
|
||||
test_suite_mpi test_suite_pbkdf2 \
|
||||
test_suite_pem \
|
||||
test_suite_pkcs1_v21 test_suite_pkcs5 \
|
||||
test_suite_pkparse test_suite_pkwrite \
|
||||
test_suite_pk \
|
||||
@ -321,6 +322,10 @@ test_suite_pbkdf2: test_suite_pbkdf2.c $(DEP)
|
||||
echo " CC $@.c"
|
||||
$(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@
|
||||
|
||||
test_suite_pem: test_suite_pem.c $(DEP)
|
||||
echo " CC $@.c"
|
||||
$(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@
|
||||
|
||||
test_suite_pkcs1_v21: test_suite_pkcs1_v21.c $(DEP)
|
||||
echo " CC $@.c"
|
||||
$(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@
|
||||
|
@ -1,6 +1,14 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#if defined(POLARSSL_PLATFORM_C)
|
||||
#include "polarssl/platform.h"
|
||||
#else
|
||||
#define polarssl_printf printf
|
||||
#define polarssl_malloc malloc
|
||||
#define polarssl_free free
|
||||
#endif
|
||||
|
||||
static int test_errors = 0;
|
||||
|
||||
SUITE_PRE_DEP
|
||||
|
17
tests/suites/test_suite_pem.data
Normal file
17
tests/suites/test_suite_pem.data
Normal file
@ -0,0 +1,17 @@
|
||||
Standard PEM write
|
||||
pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8=\n-----END TEST-----\n"
|
||||
|
||||
PEM write (zero data)
|
||||
pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"":"-----START TEST-----\n-----END TEST-----\n"
|
||||
|
||||
PEM write (one byte)
|
||||
pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"00":"-----START TEST-----\nAA==\n-----END TEST-----\n"
|
||||
|
||||
PEM write (more than line size)
|
||||
pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8=\n-----END TEST-----\n"
|
||||
|
||||
PEM write (exactly two lines)
|
||||
pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\n-----END TEST-----\n"
|
||||
|
||||
PEM write (exactly two lines + 1)
|
||||
pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n"
|
38
tests/suites/test_suite_pem.function
Normal file
38
tests/suites/test_suite_pem.function
Normal file
@ -0,0 +1,38 @@
|
||||
/* BEGIN_HEADER */
|
||||
#include <polarssl/base64.h>
|
||||
#include <polarssl/pem.h>
|
||||
/* END_HEADER */
|
||||
|
||||
/* BEGIN_DEPENDENCIES
|
||||
* depends_on:POLARSSL_PEM_WRITE_C
|
||||
* END_DEPENDENCIES
|
||||
*/
|
||||
|
||||
/* BEGIN_CASE */
|
||||
void pem_write_buffer( char *start, char *end, char *buf_str, char *result_str )
|
||||
{
|
||||
unsigned char buf[5000];
|
||||
unsigned char *check_buf;
|
||||
int ret;
|
||||
size_t buf_len, olen = 0, olen2 = 0;
|
||||
|
||||
memset( buf, 0, sizeof( buf ) );
|
||||
|
||||
buf_len = unhexify( buf, buf_str );
|
||||
|
||||
ret = pem_write_buffer( start, end, buf, buf_len, NULL, 0, &olen );
|
||||
TEST_ASSERT( ret == POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL );
|
||||
|
||||
check_buf = (unsigned char *) polarssl_malloc( olen );
|
||||
TEST_ASSERT( check_buf != NULL );
|
||||
|
||||
memset( check_buf, 0, olen );
|
||||
ret = pem_write_buffer( start, end, buf, buf_len, check_buf, olen, &olen2 );
|
||||
|
||||
TEST_ASSERT( olen2 <= olen );
|
||||
TEST_ASSERT( olen > strlen( (char*) result_str ) );
|
||||
TEST_ASSERT( ret == 0 );
|
||||
TEST_ASSERT( strncmp( (char *) check_buf, (char *) result_str, olen ) == 0 );
|
||||
polarssl_free( check_buf );
|
||||
}
|
||||
/* END_CASE */
|
Loading…
Reference in New Issue
Block a user