Set a compile-time limit to X.509 chain length
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 2d72f6a..4d20889 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1834,6 +1834,13 @@
x509_crt *grandparent;
const md_info_t *md_info;
+ /* path_cnt is 0 for the first intermediate CA */
+ if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
+ {
+ *flags |= BADCERT_NOT_TRUSTED;
+ return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
+ }
+
if( x509_time_expired( &child->valid_to ) )
*flags |= BADCERT_EXPIRED;