Prevent Integer Overflow In ASN1Writer::EncodeHead(), Certificate, and Key Read Utility Function.

emargolis · robszewczyk · commit c5d1aeb0c8e7 · 2019-08-19T10:08:22.000-07:00
-- Promoted internal length variable (totalLen) from uint16_t to uint32_t. -- Added check that the valid length value (len) is provided as function input. -- Added checks to validate appropriate certificate and key sizes to prevent integer overflow. This change addresses CVE security vulnerability: CVE-2019-5039
diff --git a/src/lib/support/ASN1Writer.cpp b/src/lib/support/ASN1Writer.cpp
@@ -427,14 +427,17 @@ ASN1_ERROR ASN1Writer::EncodeHead(uint8_t cls, uint32_t tag, bool isConstructed,
 {
     ASN1_ERROR err = ASN1_NO_ERROR;
     uint8_t lenOfLen;
-    uint16_t totalLen;
+    uint32_t totalLen;
 
     // Do nothing for a null writer.
     VerifyOrExit(mBuf != NULL, err = ASN1_NO_ERROR);
 
     // Only tags <= 31 supported. The implication of this is that encoded tags are exactly 1 byte long.
     VerifyOrExit(tag <= 0x1F, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
 
+    // Only positive and kUnkownLength values are supported for len input.
+    VerifyOrExit(len >= 0 || len == kUnkownLength, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
+
     // Compute the number of bytes required to encode the length.
     lenOfLen = GetLengthOfLength(len);
 
diff --git a/src/tools/weave/CertUtils.cpp b/src/tools/weave/CertUtils.cpp
@@ -63,6 +63,8 @@ bool ReadCert(const char *fileName, X509 *& cert, CertFormat& origCertFmt)
     if (!ReadFileIntoMem(fileName, certBuf, certLen))
         ExitNow(res = false);
 
+    VerifyOrExit(certLen <= MAX_CERT_SIZE, res = false);
+
     curCertFmt = origCertFmt = DetectCertFormat(certBuf, certLen);
 
     if (curCertFmt == kCertFormat_X509_PEM)
@@ -150,6 +152,8 @@ bool ReadWeaveCert(const char *fileName, uint8_t *& certBuf, uint32_t& certLen)
     if (!ReadFileIntoMem(fileName, certBuf, certLen))
         ExitNow(res = false);
 
+    VerifyOrExit(certLen <= MAX_CERT_SIZE, res = false);
+
     certFmt = DetectCertFormat(certBuf, certLen);
     if (certFmt != kCertFormat_Weave_Raw && certFmt != kCertFormat_Weave_Base64)
     {
diff --git a/src/tools/weave/KeyUtils.cpp b/src/tools/weave/KeyUtils.cpp
@@ -51,6 +51,8 @@ bool ReadPrivateKey(const char *fileName, const char *prompt, EVP_PKEY *& key)
     if (!res)
         ExitNow();
 
+    VerifyOrExit(keyDataLen <= MAX_KEY_SIZE, res = false);
+
     res = DecodePrivateKey(keyData, keyDataLen, kKeyFormat_Unknown, fileName, prompt, key);
 
 exit:
@@ -69,6 +71,9 @@ bool ReadPublicKey(const char *fileName, EVP_PKEY *& key)
     res = ReadFileIntoMem(fileName, keyData, keyDataLen);
     if (!res)
         ExitNow();
+
+    VerifyOrExit(keyDataLen <= MAX_KEY_SIZE, res = false);
+
     res = DecodePublicKey(keyData, keyDataLen, kKeyFormat_Unknown, fileName, key);
 
 exit:
