Prevent crash on malformed Key Usage

Key Usage bit strings longer than 2 bytes were inducing buffer overflow.

Thanks to Niklas Vogel for reporting this.

diff --git a/src/object/certificate.c b/src/object/certificate.c
index 3e2439bf4dd342e3c816c6255850573da521a338..f36392d41063142898194df4c7871e4beba7caea 100644 (file)
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -1329,9 +1329,9 @@ handle_ku(ASN1_BIT_STRING *ku, unsigned char byte1)
 
        unsigned char data[2];
 
-       if (ku->length == 0) {
-               return pr_val_err("%s bit string has no enabled bits.",
-                   ext_ku()->name);
+       if (ku->length != 2 && ku->length != 1) {
+               return pr_val_err("Bogus %s length: %d",
+                   ext_ku()->name, ku->length);
        }
 
        memset(data, 0, sizeof(data));