From dbbd96652ceff314a45f23be40b3820dbd540347 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 15:46:03 +0300 Subject: [PATCH] Check that SAN is not malformed when parsing Add a call to `mbedtls_x509_parse_subject_alt_name()` during certificate parsing, to verify the certificate is not malformed. --- library/x509_crt.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/library/x509_crt.c b/library/x509_crt.c index 701b0142d..754a65fdf 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -642,6 +642,9 @@ static int x509_get_subject_alt_name( unsigned char **p, while( *p < end ) { + mbedtls_x509_subject_alternative_name dummy_san_buf; + memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) ); + if( ( end - *p ) < 1 ) return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA ); @@ -658,6 +661,29 @@ static int x509_get_subject_alt_name( unsigned char **p, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); } + /* + * Check that the SAN are structured correct. + */ + ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf ); + /* + * In case the extension is malformed, return an error, + * and clear the allocated sequences. + */ + if( ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) + { + mbedtls_x509_sequence *seq_cur = subject_alt_name->next; + mbedtls_x509_sequence *seq_prv; + while( seq_cur != NULL ) + { + seq_prv = seq_cur; + seq_cur = seq_cur->next; + mbedtls_platform_zeroize( seq_prv, + sizeof( mbedtls_x509_sequence ) ); + mbedtls_free( seq_prv ); + } + return( ret ); + } + /* Allocate and assign next pointer */ if( cur->buf.p != NULL ) {