From 8fac3fffead13282f76e18cc18283e73c0d7dbbc Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 24 Jun 2016 13:57:09 -0600 Subject: [PATCH 1/4] fix possible out of bounds read in PemToDer, CU #1 --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 82295ef6c..202972f22 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3534,7 +3534,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, /* eat end of line */ if (consumedEnd[0] == '\n') consumedEnd++; - else if (consumedEnd[1] == '\n') + else if ((consumedEnd + 1 < bufferEnd) && consumedEnd[1] == '\n') consumedEnd += 2; else { if (info) From 2951e167b5d6922abce453bd0706314a5dab704f Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 24 Jun 2016 14:17:52 -0600 Subject: [PATCH 2/4] check return code of PemToDer in wolfSSL_CertManagerVerifyBuffer, CU #2 --- src/ssl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 202972f22..5999bb5fd 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4358,6 +4358,13 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, info->consumed = 0; ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, info, &eccKey); + if (ret != 0) { + FreeDer(&der); + #ifdef WOLFSSL_SMALL_STACK + XFREE(info, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } InitDecodedCert(cert, der->buffer, der->length, cm->heap); #ifdef WOLFSSL_SMALL_STACK From 92e501c8e4d6138627be10b5d74bc7a41adc403d Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 24 Jun 2016 14:37:45 -0600 Subject: [PATCH 3/4] fix possible out of bound read in PemToDer header, CU #3 --- src/ssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 5999bb5fd..d4fcaa0ba 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3456,6 +3456,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type, headerEnd += XSTRLEN(header); + if ((headerEnd + 1) >= bufferEnd) + return SSL_BAD_FILE; + /* eat end of line */ if (headerEnd[0] == '\n') headerEnd++; From 9c7bea46d24b4dab092adb299b2717ddee8e7a44 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 24 Jun 2016 14:42:06 -0600 Subject: [PATCH 4/4] fix out of bounds read in PemToDer with 0 size der buffer, CU #4 --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index d4fcaa0ba..5902ef8c2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3551,7 +3551,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, /* set up der buffer */ neededSz = (long)(footerEnd - headerEnd); - if (neededSz > sz || neededSz < 0) + if (neededSz > sz || neededSz <= 0) return SSL_BAD_FILE; ret = AllocDer(pDer, (word32)neededSz, type, heap);