sanity checks before copying copying peer certificate

2025-08-01 03:34:39 +02:00 · 2017-05-04 13:10:46 -06:00
parent bfc43cee15
commit 9b5340d3af
2 changed files with 18 additions and 6 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -6597,7 +6597,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
            ret = MEMORY_E;
    }

-    if (dCert->signature != NULL && dCert->sigLength != 0) {
+    if (dCert->signature != NULL && dCert->sigLength != 0 &&
+            dCert->sigLength <= MAX_ENCODED_SIG_SZ) {
        x509->sig.buffer = (byte*)XMALLOC(
                          dCert->sigLength, x509->heap, DYNAMIC_TYPE_SIGNATURE);
        if (x509->sig.buffer == NULL) {
@@ -7158,8 +7159,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                    ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
        #endif
                }
-                else if (ret == ASN_PARSE_E) {
-                    WOLFSSL_MSG("Got Peer cert ASN PARSE ERROR, fatal");
+                else if (ret == ASN_PARSE_E || ret == BUFFER_E) {
+                    WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR");
                    fatal = 1;
                }
                else {
@@ -7257,8 +7258,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
            #endif /* HAVE_OCSP || HAVE_CRL */

            #ifdef KEEP_PEER_CERT
-                {
-                    /* set X509 format for peer cert even if fatal */
+                if (fatal == 0) {
+                    /* set X509 format for peer cert */
                    int copyRet = CopyDecodedToX509(&ssl->peerCert,
                                                                args->dCert);
                    if (copyRet == MEMORY_E)
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -986,6 +986,17 @@ static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
    if (GetLength(input, &idx, &length, maxIdx) < 0)
        return ASN_PARSE_E;

+    /* extra sanity check that length is greater than 0 */
+    if (length <= 0) {
+        WOLFSSL_MSG("Error length was 0 in CheckBitString");
+        return BUFFER_E;
+    }
+
+    if (idx + 1 > maxIdx) {
+        WOLFSSL_MSG("Attempted buffer read larger than input buffer");
+        return BUFFER_E;
+    }
+
    b = input[idx];
    if (zeroBits && b != 0x00)
        return ASN_EXPECT_0_E;
@@ -998,7 +1009,7 @@ static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
            return ASN_PARSE_E;
    }
    idx++;
-    length--;
+    length--; /* length has been checked for greater than 0 */

    *inOutIdx = idx;
    if (len != NULL)