TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7c86974d6de67d71c628f13e8bad93d5324ae5c5^! / .
commit7c86974d6de67d71c628f13e8bad93d5324ae5c5[log] [tgz]
authorAndrzej Kurek <andrzej.kurek@arm.com>Fri Jun 02 05:02:41 2023 -0400
committerAndrzej Kurek <andrzej.kurek@arm.com>Fri Jun 02 05:02:41 2023 -0400
tree5448312cd6a3885d7c400750aa19f710f1ed453e
parent51cef9ce38c36bac8a060bbfae025d1defae2651 [diff]
Fix overflow checks in x509write_crt

Previous ones could still overflow.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index f57841c..ea8471c 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c

@@ -186,19 +186,23 @@
                  * maximum 4 bytes for the length field,
                  * 1 byte for the tag/type.
                  */
-                CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1);
+                CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
+                CHECK_OVERFLOW_ADD(buflen, 4 + 1);
                 break;
             case MBEDTLS_X509_SAN_DIRECTORY_NAME:
             {
                 const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
                 while (chunk != NULL) {
-                    // 5 bytes for OID, max 4 bytes for length, +1 for tag,
+                    // Max 4 bytes for length, +1 for tag,
                     // additional 4 max for length, +1 for tag.
                     // See x509_write_name for more information.
-                    CHECK_OVERFLOW_ADD(buflen, chunk->val.len + 5 + 4 + 1 + 4 + 1);
+                    CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
+                    CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
+                    CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
                     chunk = chunk->next;
                 }
-                CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len + 4 + 1);
+                CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
+                CHECK_OVERFLOW_ADD(buflen, 4 + 1);
                 break;
             }
             default: