wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4527 from julek-wolfssl/zd13097

Browse Source 
Fix a heap buffer overflow with mismatched PEM structure ZD13097
This commit is contained in:
David Garske
2021-11-05 08:50:28 -07:00
committed by GitHub
parent ae84a2a326 1faa9e66b6
commit 4fe17cc143
2 changed files with 38 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/ssl.c
View File

@ -44111,7 +44111,7 @@ err:
} }
/* Read the header and footer */ /* Read the header and footer */
while (wolfSSL_BIO_read(bio, &pem[i], 1) == 1) { while (i < l && wolfSSL_BIO_read(bio, &pem[i], 1) == 1) {
i++; i++;
if (!header) { if (!header) {
header = XSTRNSTR(pem, "-----BEGIN ", (unsigned int)i); header = XSTRNSTR(pem, "-----BEGIN ", (unsigned int)i);
@ -44124,7 +44124,10 @@ err:
if (headerEnd) { if (headerEnd) {
headerEnd += XSTR_SIZEOF("-----"); headerEnd += XSTR_SIZEOF("-----");
/* Read in the newline */ /* Read in the newline */
(void)wolfSSL_BIO_read(bio, &pem[i], 1); if (wolfSSL_BIO_read(bio, &pem[i], 1) != 1) {
WOLFSSL_MSG("wolfSSL_BIO_read error");
goto err;
}
i++; i++;
if (*headerEnd != '\n' && *headerEnd != '\r') { if (*headerEnd != '\n' && *headerEnd != '\r') {
WOLFSSL_MSG("Missing newline after header"); WOLFSSL_MSG("Missing newline after header");
@ -44143,7 +44146,9 @@ err:
if (footerEnd) { if (footerEnd) {
footerEnd += XSTR_SIZEOF("-----"); footerEnd += XSTR_SIZEOF("-----");
/* Now check that footer matches header */ /* Now check that footer matches header */
if (XMEMCMP(header + XSTR_SIZEOF("-----BEGIN "), if ((headerEnd - (header + XSTR_SIZEOF("-----BEGIN "))) ==
(footerEnd - (footer + XSTR_SIZEOF("-----END "))) &&
XMEMCMP(header + XSTR_SIZEOF("-----BEGIN "),
footer + XSTR_SIZEOF("-----END "), footer + XSTR_SIZEOF("-----END "),
headerEnd - (header + XSTR_SIZEOF("-----BEGIN "))) headerEnd - (header + XSTR_SIZEOF("-----BEGIN ")))
!= 0) { != 0) {

30
tests/api.c
View File

@ -29724,6 +29724,24 @@ static void test_wolfSSL_X509_INFO(void)
X509_INFO *info; X509_INFO *info;
BIO *cert; BIO *cert;
int i; int i;
/* PEM in hex format to avoid null terminator */
byte data[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47,
0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x63, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x44, 0x4d, 0x54, 0x42, 0x75, 0x51, 0x3d,
0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d
};
/* PEM in hex format to avoid null terminator */
byte data2[] = {
0x41, 0x53, 0x4e, 0x31, 0x20, 0x4f, 0x49, 0x44, 0x3a, 0x20, 0x70, 0x72,
0x69, 0x6d, 0x65, 0x32, 0x35, 0x36, 0x76, 0x31, 0x0a, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x45, 0x43, 0x20, 0x50,
0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, 0x2d, 0x2d, 0x2d,
0x2d, 0x43, 0x65, 0x72, 0x74, 0x69, 0x2d, 0x0a, 0x42, 0x67, 0x67, 0x71,
0x68, 0x6b, 0x6a, 0x4f, 0x50, 0x51, 0x4d, 0x42, 0x42, 0x77, 0x3d, 0x3d,
0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d
};
printf(testingFmt, "wolfSSL_X509_INFO"); printf(testingFmt, "wolfSSL_X509_INFO");
@ -29742,6 +29760,18 @@ static void test_wolfSSL_X509_INFO(void)
sk_X509_INFO_free(info_stack); sk_X509_INFO_free(info_stack);
BIO_free(cert); BIO_free(cert);
/* This case should fail due to invalid input. */
AssertNotNull(cert = BIO_new(BIO_s_mem()));
AssertIntEQ(BIO_write(cert, data, sizeof(data)), sizeof(data));
AssertNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
BIO_free(cert);
AssertNotNull(cert = BIO_new(BIO_s_mem()));
AssertIntEQ(BIO_write(cert, data2, sizeof(data2)), sizeof(data2));
AssertNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
BIO_free(cert);
printf(resultFmt, passed); printf(resultFmt, passed);
#endif #endif
} }