Add bounds check to GetIntPositive#6676
Add bounds check to GetIntPositive#6676guidovranken wants to merge 1 commit intowolfSSL:masterfrom guidovranken:getintpositive-bounds-check
Conversation
|
Can one of the admins verify this patch? |
|
ok to test, retest this please Jenkins |
| if (ret != 0) | ||
| return ret; | ||
|
|
||
| if (idx < 1 || idx >= maxIdx) { |
There was a problem hiding this comment.
Can't check for 1 as the starting index may not be zero.
GetASNInt ensures that a header (2 bytes) is read.
The length may be 0 though. and this is a problem.
The index won't be greater than maxIdx but the idx + length is not checked.
There was a problem hiding this comment.
Can you suggest a change please?
There was a problem hiding this comment.
Checked the code again and GetASNInt calls GetASNHeader and that will check that the length corresponds to bytes in the buffer. So no need to check: idx + length > maxIdx.
if (length > 0) {
/* Check that the preceding byte is zero when top bit set. */
if (((input[idx] & 0x80) == 0x80) && (input[idx - 1] != 0x00))
return MP_INIT_E;
}
Note that when the first byte of data has the top bit set, the preceding byte is the length and must be > 0.
|
Different fix in #6739 |
4 participants
Description
Add bounds check to asn.c GetIntPositive() to ensure subsequent buffer access is within array bounds.
ZD 16549
Testing
Fuzzing
Checklist