Fix potential heap corruption on Windows

If len is large enough, when cast to an int it will be negative and then the test if( len > MAX_PATH - 3 ) will not behave as expected.
2015-10-21 10:16:29 +02:00 · 2015-10-21 10:16:29 +02:00 · 261faed725
commit 261faed725
parent cdea97c1c3
2 changed files with 9 additions and 2 deletions
--- a/7
+++ b/7
@ -1,5 +1,12 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS 2.2.0 released 2015-10-xx
+
+Security
+   * Fix potential heap corruption on Windows when
+     mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+     triggered remotely. Found by Guido Vranken, Interlworks.
+
 = mbed TLS 2.1.2 released 2015-10-06

 Security
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1097,7 +1097,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
    WCHAR szDir[MAX_PATH];
    char filename[MAX_PATH];
    char *p;
-    int len = (int) strlen( path );
+    size_t len = strlen( path );

    WIN32_FIND_DATAW file_data;
    HANDLE hFind;
@ -1131,7 +1131,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )

        w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
                                     lstrlenW( file_data.cFileName ),
-                                     p, len - 1,
+                                     p, (int) len - 1,
                                     NULL, NULL );
        if( w_ret == 0 )
            return( MBEDTLS_ERR_X509_FILE_IO_ERROR );