Fix bug in x509_get_attr_type_value()

Fixes Mbed-TLS#2437.
hanno-becker · Feb 13, 2019 · 0181103 · 0181103
1 parent 827d90b
commit 0181103
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/library/x509.c b/library/x509.c
@@ -354,6 +354,8 @@ static int x509_get_attr_type_value( unsigned char **p,
             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
         return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
 
+    end = *p + len;
+
     if( ( end - *p ) < 1 )
         return( MBEDTLS_ERR_X509_INVALID_NAME +
                 MBEDTLS_ERR_ASN1_OUT_OF_DATA );
@@ -387,6 +389,12 @@ static int x509_get_attr_type_value( unsigned char **p,
     val->p = *p;
     *p += val->len;
 
+    if( *p != end )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
     cur->next = NULL;
 
     return( 0 );