From: Job Snijders <job@sobornost.net>
Date: Mon, 5 Feb 2024 19:10:11 +0000 (+0000)
Subject: Make sure d2i_X509() consumed all data
X-Git-Tag: 1.6.2~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F108%2Fhead;p=thirdparty%2FFORT-validator.git

Make sure d2i_X509() consumed all data

An artefact of d2i_*() functions is that once they're satisfied,
there still might be trailing garbage in the field that's being
decoded.

Callers of d2i_*() functions generally should conform that all
data has been consumed.
---

diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c
index d2f85d7a..301ae23d 100644
--- a/src/asn1/signed_data.c
+++ b/src/asn1/signed_data.c
@@ -58,7 +58,7 @@ static int
 handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
     OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature)
 {
-	const unsigned char *tmp;
+	const unsigned char *otmp, *tmp;
 	X509 *cert;
 	enum rpki_policy policy;
 	int error;
@@ -78,12 +78,16 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
 	 * pointer.
 	 */
 	tmp = (const unsigned char *) cert_encoded->buf;
-
+	otmp = tmp;
 	cert = d2i_X509(NULL, &tmp, cert_encoded->size);
 	if (cert == NULL) {
 		error = val_crypto_err("Signed object's 'certificate' element does not decode into a Certificate");
 		goto end1;
 	}
+	if (tmp != otmp + cert_encoded->size) {
+		error = val_crypto_err("Signed object's 'certificate' element contains trailing garbage");
+		goto end1;
+	}
 
 	x509_name_pr_debug("Issuer", X509_get_issuer_name(cert));