# Stack buffer overflow in ECDSA signature conversion functions **Title** | Stack buffer overflow in ECDSA signature conversion functions --------- | ----------------------------------------------------- **CVE** | CVE-2024-45158 **Date** | 30 August 2024 **Affects** | Mbed TLS 3.6.0 **Severity** | High ## Vulnerability In Mbed TLS 3.6.0, the functions `mbedtls_ecdsa_der_to_raw()` and `mbedtls_ecdsa_raw_to_der()` do not correctly validate their `bits` argument. If the value of that argument is larger than the bit-length of the largest supported curve, these functions may overflow a buffer on the stack with content copied from their input parameter. When `MBEDTLS_PSA_CRYPTO_C` is enabled, the maximum safe value of `bits` is the size of the largest curve supported by the PSA API. All curves supported by the legacy API (`ecp.h`, `ecdh.h`, `ecdsa.h`, `ecjpake.h`, `pk.h`) are also supported by the PSA API, thus any curve size supported in Mbed TLS is safe. However, code that calls these functions without ensuring that `bits` corresponds to a supported curve is vulnerable. When `MBEDTLS_PSA_CRYPTO_C` is disabled, in some configurations, the functions use a 0-size buffer internally. If this is not detected at compile time, the functions would overflow their internal buffer for all correct inputs. These functions are declared in `mbedtls/psa_util.h` and were intended for use together with the PSA API, but they were not excluded from builds without PSA. All the calls to these functions made inside Mbed TLS are safe. ## Impact Applications that call `mbedtls_ecdsa_der_to_raw()` or `mbedtls_ecdsa_raw_to_der()` on attacker-controlled input are vulnerable to a stack buffer overflow with attacker-chosen content. Note that to provoke the attack, the attacker needs to control the declared curve bit-size, not just the buffer size and content. ## Resolution Affected users will want to upgrade to Mbed TLS 3.6.1. ## Work-around Code that calls `mbedtls_ecdsa_der_to_raw()` and `mbedtls_ecdsa_raw_to_der()` in Mbed TLS 3.6.0 is safe if `MBEDTLS_PSA_CRYPTO_C` is enabled and the calling code first ensures that the `bits` parameter is the bit-size of a curve that is supported in the build of Mbed TLS.