TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 011a98343d8cf6d1eb5a4392270d4eb1c9ce8d25^! / .
commit011a98343d8cf6d1eb5a4392270d4eb1c9ce8d25[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Fri Sep 13 12:24:56 2019 +0100
committerAndrzej Kurek <andrzej.kurek@arm.com>Thu Jan 05 09:42:42 2023 -0500
treeac92331a4a1b0566aa95e173c15daa56ee1469ab
parent262851df1cc4f090b3e2920cd647d5e22c9bb2f1 [diff]
Fix X.509 SAN parsing

Fixes #2838. See the issue description for more information.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 0eee97c..289f0c5 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c

@@ -645,8 +645,6 @@
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len, tag_len;
-    mbedtls_asn1_buf *buf;
-    unsigned char tag;
     mbedtls_asn1_sequence *cur = subject_alt_name;
 
     /* Get main sequence tag */
@@ -661,14 +659,19 @@
     while( *p < end )
     {
         mbedtls_x509_subject_alternative_name dummy_san_buf;
+        mbedtls_x509_buf tmp_san_buf;
         memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) );
 
-        tag = **p;
+        tmp_san_buf.tag = **p;
         (*p)++;
+
         if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
             return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
 
-        if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
+        tmp_san_buf.p = *p;
+        tmp_san_buf.len = tag_len;
+
+        if( ( tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
                 MBEDTLS_ASN1_CONTEXT_SPECIFIC )
         {
             return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
@@ -678,7 +681,7 @@
         /*
          * Check that the SAN is structured correctly.
          */
-        ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf );
+        ret = mbedtls_x509_parse_subject_alt_name( &tmp_san_buf, &dummy_san_buf );
         /*
          * In case the extension is malformed, return an error,
          * and clear the allocated sequences.
@@ -705,11 +708,8 @@
             cur = cur->next;
         }
 
-        buf = &(cur->buf);
-        buf->tag = tag;
-        buf->p = *p;
-        buf->len = tag_len;
-        *p += buf->len;
+        cur->buf = tmp_san_buf;
+        *p += tmp_san_buf.len;
     }
 
     /* Set final sequence entry's next pointer to NULL */