mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 14:50:50 +02:00
Merge pull request #10706 from JacobBarthelmeh/dev
defense in depth hardening for x509 extension create by OBJ and EVP decode update
This commit is contained in:
+17
-5
@@ -298,6 +298,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
|
||||
{
|
||||
int err = 0;
|
||||
WOLFSSL_X509_EXTENSION *ret = ex;
|
||||
WOLFSSL_ASN1_OBJECT *newObj = NULL;
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_create_by_OBJ");
|
||||
|
||||
@@ -311,7 +312,18 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
|
||||
err = 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
||||
/* Duplicate the source object before freeing the existing one so that a
|
||||
* caller passing the extension's own object (e.g. obtained via
|
||||
* wolfSSL_X509_EXTENSION_get_object(ex)) does not read freed memory. */
|
||||
if (err == 0) {
|
||||
newObj = wolfSSL_ASN1_OBJECT_dup(obj);
|
||||
if (newObj == NULL) {
|
||||
err = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if ((err == 0) && (ret == ex)) {
|
||||
/* Prevent potential memory leaks and dangling pointers. */
|
||||
wolfSSL_ASN1_OBJECT_free(ret->obj);
|
||||
ret->obj = NULL;
|
||||
@@ -320,10 +332,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
|
||||
|
||||
if (err == 0) {
|
||||
ret->crit = crit;
|
||||
ret->obj = wolfSSL_ASN1_OBJECT_dup(obj);
|
||||
if (ret->obj == NULL) {
|
||||
err = 1;
|
||||
}
|
||||
ret->obj = newObj;
|
||||
newObj = NULL;
|
||||
}
|
||||
|
||||
if (err == 0) {
|
||||
@@ -333,6 +343,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
|
||||
}
|
||||
|
||||
if (err == 1) {
|
||||
/* Free the duplicate if it was created but not assigned to ret. */
|
||||
wolfSSL_ASN1_OBJECT_free(newObj);
|
||||
if (ret != ex) {
|
||||
wolfSSL_X509_EXTENSION_free(ret);
|
||||
}
|
||||
|
||||
@@ -404,6 +404,18 @@ int test_wolfSSL_EVP_DecodeUpdate(void)
|
||||
);
|
||||
ExpectIntEQ( outl, 0);
|
||||
|
||||
/* pass negative length */
|
||||
ExpectIntEQ(
|
||||
EVP_DecodeUpdate(
|
||||
ctx,
|
||||
decOutBuff,
|
||||
&outl,
|
||||
enc1,
|
||||
-1), /* negative inl */
|
||||
-1 /* expected result code -1: fail */
|
||||
);
|
||||
ExpectIntEQ( outl, 0);
|
||||
|
||||
ExpectIntEQ(EVP_DecodeBlock(NULL, NULL, 0), -1);
|
||||
|
||||
/* pass zero length input */
|
||||
|
||||
@@ -905,6 +905,14 @@ int test_wolfSSL_X509_EXTENSION_create_by_OBJ(void)
|
||||
if (ext3 == NULL) {
|
||||
wolfSSL_X509_EXTENSION_free(ext2);
|
||||
}
|
||||
/* Reuse the extension passing its own object as the source. This must not
|
||||
* read freed memory (the source object aliases ext3's current object). */
|
||||
if (ext3 != NULL) {
|
||||
WOLFSSL_ASN1_OBJECT* self = NULL;
|
||||
ExpectNotNull(self = wolfSSL_X509_EXTENSION_get_object(ext3));
|
||||
ExpectNotNull(ext3 = wolfSSL_X509_EXTENSION_create_by_OBJ(ext3, self,
|
||||
crit, str));
|
||||
}
|
||||
wolfSSL_X509_EXTENSION_free(ext3);
|
||||
|
||||
ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, NULL, -1),
|
||||
|
||||
+1
-1
@@ -13471,7 +13471,7 @@ int wolfSSL_EVP_DecodeUpdate(WOLFSSL_EVP_ENCODE_CTX* ctx,
|
||||
if (outl == NULL)
|
||||
return -1;
|
||||
|
||||
if (ctx == NULL || out == NULL || in == NULL) {
|
||||
if (ctx == NULL || out == NULL || in == NULL || inl < 0) {
|
||||
*outl = 0;
|
||||
return -1;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user