Mbed TLS is now part of TrustedFirmware.org.

NULL pointer: cause program collapse


Oct 10, 2017 14:31
vonwaist

Platform: ubuntu 14.04

In line 93 of the x509_create.c:

89 int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name )

90 {

91 int ret = 0;

92 const char *s = name, *c = s;

93 const char *end = s + strlen( s );

94 const char *oid = NULL;

...

The null pointer is not checked. If the argument 'name' is NULL, strlen(s) in line 93 will cause a collapse: "Segmentation fault(Core Dump)"

The same problem is found in line 436 of bignum.c and in line 116 and 117 of x509write_crt.c:

library/bignum.c:

424 int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )

425 {

426 int ret;

427 size_t i, j, slen, n;

428 mbedtls_mpi_uint d;

429 mbedtls_mpi T;

430

431 if( radix < 2 || radix > 16 )

432 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

433

434 mbedtls_mpi_init( &T );

435

436 slen = strlen( s );

...

library/x509write_crt.c:

113 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,

114 const char *not_after )

115 {

116 if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||

117 strlen( not_after ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 )

118 {

119 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );

120 }

...

 
Oct 15, 2017 15:33
Ron Eldor

Hi vonwaist,
Thank you for reporting this issue!
I have opened a github issue in your name.
Regards,
Mbed TLS Team member
Ron