mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-26 21:39:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add length checking in certificate policy parsing

Browse Source 
Change the extension parsing to `policy_end` and verify that
the policy and qualifiers length don't exceed the end of the extension.
This commit is contained in:
Ron Eldor 2019-05-13 16:38:39 +03:00
parent 78c3040347
commit 0806379e3e
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
library/x509_crt.c
View File

@ -779,7 +779,7 @@ static int x509_get_certificate_policies( unsigned char **p,
policy_end = *p + len; policy_end = *p + len;
if( ( ret = mbedtls_asn1_get_tag( p, end, &len, if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len,
MBEDTLS_ASN1_OID ) ) != 0 ) MBEDTLS_ASN1_OID ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
@ -806,11 +806,27 @@ static int x509_get_certificate_policies( unsigned char **p,
buf->tag = policy_oid.tag; buf->tag = policy_oid.tag;
buf->p = policy_oid.p; buf->p = policy_oid.p;
buf->len = policy_oid.len; buf->len = policy_oid.len;
*p += len;
/* /*
* Skip the optional policy qualifiers, * If there is an optional qualifier, then *p < policy_end
* and set the pointer to the end of the policy. * Check the Qualifier len to verify it doesn't exceed policy_end.
*/ */
*p = (unsigned char *)policy_end; if( *p < policy_end )
{
if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
/*
* Skip the optional policy qualifiers.
*/
*p += len;
}
if( *p != policy_end )
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
} }
/* Set final sequence entry's next pointer to NULL */ /* Set final sequence entry's next pointer to NULL */