Fix X.509 SAN parsing

Fixes #2838. See the issue description for more information. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2025-08-08 17:42:09 +03:00 · 2019-09-13 12:24:56 +01:00
parent 262851df1c
commit 011a98343d
1 changed files with 10 additions and 10 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -645,8 +645,6 @@ static int x509_get_subject_alt_name( unsigned char **p,
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    size_t len, tag_len;
-    mbedtls_asn1_buf *buf;
-    unsigned char tag;
    mbedtls_asn1_sequence *cur = subject_alt_name;

    /* Get main sequence tag */
@@ -661,14 +659,19 @@ static int x509_get_subject_alt_name( unsigned char **p,
    while( *p < end )
    {
        mbedtls_x509_subject_alternative_name dummy_san_buf;
+        mbedtls_x509_buf tmp_san_buf;
        memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) );

-        tag = **p;
+        tmp_san_buf.tag = **p;
        (*p)++;
+
        if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
            return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );

-        if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
+        tmp_san_buf.p = *p;
+        tmp_san_buf.len = tag_len;
+
+        if( ( tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
                MBEDTLS_ASN1_CONTEXT_SPECIFIC )
        {
            return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
@@ -678,7 +681,7 @@ static int x509_get_subject_alt_name( unsigned char **p,
        /*
         * Check that the SAN is structured correctly.
         */
-        ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf );
+        ret = mbedtls_x509_parse_subject_alt_name( &tmp_san_buf, &dummy_san_buf );
        /*
         * In case the extension is malformed, return an error,
         * and clear the allocated sequences.
@@ -705,11 +708,8 @@ static int x509_get_subject_alt_name( unsigned char **p,
            cur = cur->next;
        }

-        buf = &(cur->buf);
-        buf->tag = tag;
-        buf->p = *p;
-        buf->len = tag_len;
-        *p += buf->len;
+        cur->buf = tmp_san_buf;
+        *p += tmp_san_buf.len;
    }

    /* Set final sequence entry's next pointer to NULL */