NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/wolfssl: add upstream security fix for CVE-2019–18840

Browse Source 
Fixes the following security vulnerability:

- CVE-2019-18840: In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity
  checks of memory accesses in parsing ASN.1 certificate data while
  handshaking.  Specifically, there is a one-byte heap-based buffer overflow
  inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because
  the domain name location index is mishandled.  Because a pointer is
  overwritten, there is an invalid free.

For details, see the writeup:
https://medium.com/@social_62682/heap-overflow-in-wolfssl-cve-2019-18840-185d233c27de

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Peter Korsgaard 2019-11-28 16:37:18 +01:00
parent ab566a9acc
commit 92327cd9e2
1 changed files with 84 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch Normal file
View File

@ -0,0 +1,84 @@
From 52f28bd5149360f8e3bf8ca13d3fb9a77283df7c Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Wed, 6 Nov 2019 08:28:09 +1000
Subject: [PATCH] Check domain name location index hasn't exceed maximum before
setting
[CVE-201918840]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
wolfcrypt/src/asn.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 637f4c355..d3793b7b3 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -5117,8 +5117,10 @@ static int GetName(DecodedCert* cert, int nameType)
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
idx += strLen;
#if defined(OPENSSL_EXTRA)
- /* store order that DN was parsed */
- dName->loc[count++] = id;
+ if (count < DOMAIN_COMPONENT_MAX) {
+ /* store order that DN was parsed */
+ dName->loc[count++] = id;
+ }
#endif
}
@@ -5191,8 +5193,10 @@ static int GetName(DecodedCert* cert, int nameType)
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
idx += strLen;
#if defined(OPENSSL_EXTRA)
- /* store order that DN was parsed */
- dName->loc[count++] = id;
+ if (count < DOMAIN_COMPONENT_MAX) {
+ /* store order that DN was parsed */
+ dName->loc[count++] = id;
+ }
#endif
}
@@ -5276,8 +5280,10 @@ static int GetName(DecodedCert* cert, int nameType)
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
idx += adv;
#if defined(OPENSSL_EXTRA)
- /* store order that DN was parsed */
- dName->loc[count++] = ASN_EMAIL_NAME;
+ if (count < DOMAIN_COMPONENT_MAX) {
+ /* store order that DN was parsed */
+ dName->loc[count++] = ASN_EMAIL_NAME;
+ }
#endif
}
}
@@ -5298,8 +5304,10 @@ static int GetName(DecodedCert* cert, int nameType)
dName->uidLen = adv;
#ifdef OPENSSL_EXTRA
- /* store order that DN was parsed */
- dName->loc[count++] = ASN_USER_ID;
+ if (count < DOMAIN_COMPONENT_MAX) {
+ /* store order that DN was parsed */
+ dName->loc[count++] = ASN_USER_ID;
+ }
#endif
#endif /* OPENSSL_EXTRA */
break;
@@ -5315,8 +5323,10 @@ static int GetName(DecodedCert* cert, int nameType)
dcnum++;
#ifdef OPENSSL_EXTRA
- /* store order that DN was parsed */
- dName->loc[count++] = ASN_DOMAIN_COMPONENT;
+ if (count < DOMAIN_COMPONENT_MAX) {
+ /* store order that DN was parsed */
+ dName->loc[count++] = ASN_DOMAIN_COMPONENT;
+ }
#endif
#endif /* OPENSSL_EXTRA */
break;
--
2.20.1