From 320a4b59a8959cf81d79a1849de22eaeea0cd02d Mon Sep 17 00:00:00 2001
From: Paul Bakker
Date: Sat, 28 Mar 2009 18:52:39 +0000
Subject: [PATCH] - Added input handling for x509parse_crt() - Prevented
memory leak by only adding new certificate if needed in x509parse_crt() -
Add certificate before parsing if chain is 'full' in x509parse_crt()
---
library/x509parse.c | 51 +++++++++++++++++++++++++++++++++------------
1 file changed, 38 insertions(+), 13 deletions(-)
diff --git a/library/x509parse.c b/library/x509parse.c
index 9b68af4efe..25965595a6 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -657,9 +657,32 @@ int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen )
crt = chain;
- while( crt->version != 0 )
+ /*
+ * Check for valid input
+ */
+ if( crt == NULL || buf == NULL )
+ return( 1 );
+
+ while( crt->version != 0 || crt->next != NULL )
crt = crt->next;
+ /*
+ * Add new certificate on the end of the chain if needed.
+ */
+ if ( crt->next == NULL)
+ {
+ crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
+
+ if( crt->next == NULL )
+ {
+ x509_free( crt );
+ return( 1 );
+ }
+
+ crt = crt->next;
+ memset( crt, 0, sizeof( x509_cert ) );
+ }
+
/*
* check if the certificate is encoded in base64
*/
@@ -942,7 +965,7 @@ int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen )
return( ret );
}
- if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, 9 ) != 0 )
+ if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
{
x509_free( crt );
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@@ -961,19 +984,21 @@ int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen )
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
}
- crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
-
- if( crt->next == NULL )
- {
- x509_free( crt );
- return( 1 );
- }
-
- crt = crt->next;
- memset( crt, 0, sizeof( x509_cert ) );
-
if( buflen > 0 )
+ {
+ crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
+
+ if( crt->next == NULL )
+ {
+ x509_free( crt );
+ return( 1 );
+ }
+
+ crt = crt->next;
+ memset( crt, 0, sizeof( x509_cert ) );
+
return( x509parse_crt( crt, buf, buflen ) );
+ }
return( 0 );
}