-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X.509 AttributeTypeAndValue parsing doesn't respect bounds #2437
Comments
ARM Internal Ref: IOTSSL-2780 |
There is an analogous issue with the v3 extension parsing function |
Context: This is about the parsing of the X.509 structure
in
x509_get_attr_type_and_value()
fromlibrary/x509.c
:https://github.com/ARMmbed/mbedtls/blob/f352f75f6bd5734c8f671323dd6ab32472d5da34/library/x509.c#L344-L370
Issue: The function doesn't obey the
len
bound for the outerSEQUENCE
. Instead, it only makes sure that the parsing doesn't read past the surroundingthe end of which is passed to the function as
end
. For example, if the length of the outerSEQUENCE
is0
but there's more space remaining in the currentSET
, the function won't fail. This situation is actually exercised by the test https://github.com/ARMmbed/mbedtls/blob/development/tests/suites/test_suite_x509parse.data#L1001 which wrongly expectsMBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
, where it should beMBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
.This is not a security issue because the bounds of the surrounding
SET
are obeyed.The text was updated successfully, but these errors were encountered: