aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-06-22 15:11:24 (GMT)
committerJouni Malinen <j@w1.fi>2019-06-22 15:11:24 (GMT)
commitce11c281ad1de25a815d49a29043d127cbc6354d (patch)
tree9fe60923228bc2b453eda48dc59c008d7c323763
parentdf5dc8787347859827f615d5cb20a888ba6c074c (diff)
downloadhostap-ce11c281ad1de25a815d49a29043d127cbc6354d.zip
hostap-ce11c281ad1de25a815d49a29043d127cbc6354d.tar.gz
hostap-ce11c281ad1de25a815d49a29043d127cbc6354d.tar.bz2
TLS: Fix X.509v3 BasicConstraints parsing
Handling of the optional pathLenConstraint after cA was not done properly. The position after cA needs to be compared to the end of the SEQUENCE, not the end of the available buffer, to determine whether the optional pathLenConstraint is present. In addition, when parsing pathLenConstraint, the length of the remaining buffer was calculated incorrectly by not subtracting the length of the header fields needed for cA. This could result in reading couple of octets beyond the end of the buffer before rejecting the ASN.1 data as invalid. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15408 Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/tls/x509v3.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index d74b3a2..71ac6b9 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -815,6 +815,7 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
struct asn1_hdr hdr;
unsigned long value;
size_t left;
+ const u8 *end_seq;
/*
* BasicConstraints ::= SEQUENCE {
@@ -836,6 +837,7 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
if (hdr.length == 0)
return 0;
+ end_seq = hdr.payload + hdr.length;
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL) {
wpa_printf(MSG_DEBUG, "X509: Failed to parse "
@@ -852,14 +854,14 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
}
cert->ca = hdr.payload[0];
- if (hdr.length == pos + len - hdr.payload) {
+ pos = hdr.payload + hdr.length;
+ if (pos >= end_seq) {
+ /* No optional pathLenConstraint */
wpa_printf(MSG_DEBUG, "X509: BasicConstraints - cA=%d",
cert->ca);
return 0;
}
-
- if (asn1_get_next(hdr.payload + hdr.length, len - hdr.length,
- &hdr) < 0 ||
+ if (asn1_get_next(pos, end_seq - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL) {
wpa_printf(MSG_DEBUG, "X509: Failed to parse "
"BasicConstraints");