alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-09 20:41:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

esp_crt_bundle: Add bounds checking for the "esp_crt_bundle_set" API.

Browse Source 
Closes https://github.com/espressif/esp-idf/issues/8397
This commit is contained in:
Aditya Patwardhan
2022-03-30 09:27:46 +05:30
parent a7578a68c0
commit c27c6916a7
5 changed files with 109 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
View File

@@ -146,27 +146,56 @@ int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int depth, uint32_
/* Initialize the bundle into an array so we can do binary search for certs,
the bundle generated by the python utility is already presorted by subject name
*/
static esp_err_t esp_crt_bundle_init(const uint8_t *x509_bundle)
static esp_err_t esp_crt_bundle_init(const uint8_t *x509_bundle, size_t bundle_size)
{
s_crt_bundle.num_certs = (x509_bundle[0] << 8) | x509_bundle[1];
s_crt_bundle.crts = calloc(s_crt_bundle.num_certs, sizeof(x509_bundle));
if (bundle_size < BUNDLE_HEADER_OFFSET + CRT_HEADER_OFFSET) {
ESP_LOGE(TAG, "Invalid certificate bundle");
return ESP_ERR_INVALID_ARG;
}
if (s_crt_bundle.crts == NULL) {
uint16_t num_certs = (x509_bundle[0] << 8) | x509_bundle[1];
if (num_certs > CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS) {
ESP_LOGE(TAG, "No. of certs in the certificate bundle = %d exceeds\n"
"Max allowed certificates in the certificate bundle = %d\n"
"Please update the menuconfig option with appropriate value", num_certs, CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS);
return ESP_ERR_INVALID_ARG;
}
const uint8_t **crts = calloc(num_certs, sizeof(x509_bundle));
if (crts == NULL) {
ESP_LOGE(TAG, "Unable to allocate memory for bundle");
return ESP_ERR_NO_MEM;
}
const uint8_t *cur_crt;
/* This is the maximum region that is allowed to access */
const uint8_t *bundle_end = x509_bundle + bundle_size;
cur_crt = x509_bundle + BUNDLE_HEADER_OFFSET;
for (int i = 0; i < s_crt_bundle.num_certs; i++) {
s_crt_bundle.crts[i] = cur_crt;
for (int i = 0; i < num_certs; i++) {
crts[i] = cur_crt;
if (cur_crt + CRT_HEADER_OFFSET > bundle_end) {
ESP_LOGE(TAG, "Invalid certificate bundle");
free(crts);
return ESP_ERR_INVALID_ARG;
}
size_t name_len = cur_crt[0] << 8 | cur_crt[1];
size_t key_len = cur_crt[2] << 8 | cur_crt[3];
cur_crt = cur_crt + CRT_HEADER_OFFSET + name_len + key_len;
}
if (cur_crt > bundle_end) {
ESP_LOGE(TAG, "Invalid certificate bundle");
free(crts);
return ESP_ERR_INVALID_ARG;
}
/* The previous crt bundle is only updated when initialization of the
* current crt_bundle is successful */
/* Free previous crt_bundle */
free(s_crt_bundle.crts);
s_crt_bundle.num_certs = num_certs;
s_crt_bundle.crts = crts;
return ESP_OK;
}
@@ -175,7 +204,7 @@ esp_err_t esp_crt_bundle_attach(void *conf)
esp_err_t ret = ESP_OK;
// If no bundle has been set by the user then use the bundle embedded in the binary
if (s_crt_bundle.crts == NULL) {
ret = esp_crt_bundle_init(x509_crt_imported_bundle_bin_start);
ret = esp_crt_bundle_init(x509_crt_imported_bundle_bin_start, x509_crt_imported_bundle_bin_end - x509_crt_imported_bundle_bin_start);
}
if (ret != ESP_OK) {
@@ -206,9 +235,7 @@ void esp_crt_bundle_detach(mbedtls_ssl_config *conf)
}
}
void esp_crt_bundle_set(const uint8_t *x509_bundle)
esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size)
{
// Free any previously used bundle
free(s_crt_bundle.crts);
esp_crt_bundle_init(x509_bundle);
return esp_crt_bundle_init(x509_bundle, bundle_size);
}