From 7c86974d6de67d71c628f13e8bad93d5324ae5c5 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 2 Jun 2023 05:02:41 -0400 Subject: [PATCH] Fix overflow checks in x509write_crt Previous ones could still overflow. Signed-off-by: Andrzej Kurek --- library/x509write_crt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index f57841c4fd..ea8471cfb0 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -186,19 +186,23 @@ int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *c * maximum 4 bytes for the length field, * 1 byte for the tag/type. */ - CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1); + CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len); + CHECK_OVERFLOW_ADD(buflen, 4 + 1); break; case MBEDTLS_X509_SAN_DIRECTORY_NAME: { const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name; while (chunk != NULL) { - // 5 bytes for OID, max 4 bytes for length, +1 for tag, + // Max 4 bytes for length, +1 for tag, // additional 4 max for length, +1 for tag. // See x509_write_name for more information. - CHECK_OVERFLOW_ADD(buflen, chunk->val.len + 5 + 4 + 1 + 4 + 1); + CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1); + CHECK_OVERFLOW_ADD(buflen, chunk->oid.len); + CHECK_OVERFLOW_ADD(buflen, chunk->val.len); chunk = chunk->next; } - CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1); + CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len); + CHECK_OVERFLOW_ADD(buflen, 4 + 1); break; } default: