From e51bde06daff0ac92f0545ebe4406bda260542e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 3 Jun 2025 11:22:55 +0200 Subject: [PATCH] Fix possible UB in mbedtls_asn1_write_raw_buffer() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is mostly unrelated to other commits in this PR, except for the fact that one of the added X.509 tests revealed that with UBSan. Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/fix-asn1write-raw-buffer.txt | 5 +++++ library/asn1write.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/fix-asn1write-raw-buffer.txt diff --git a/ChangeLog.d/fix-asn1write-raw-buffer.txt b/ChangeLog.d/fix-asn1write-raw-buffer.txt new file mode 100644 index 0000000000..292631aabc --- /dev/null +++ b/ChangeLog.d/fix-asn1write-raw-buffer.txt @@ -0,0 +1,5 @@ +Bugfix + * When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two + arguments, undefined behaviour would be triggered, in the form of a call to + memcpy(..., NULL, 0). This was harmless in practice, but could trigger + complains from sanitizers or static analyzers. diff --git a/library/asn1write.c b/library/asn1write.c index 415357b7b5..97f9db039b 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -90,7 +90,9 @@ int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start, len = size; (*p) -= len; - memcpy(*p, buf, len); + if (len != 0) { + memcpy(*p, buf, len); + } return (int) len; }