From 1165270e73508b9fb3dfdc0294a5926d56679c75 Mon Sep 17 00:00:00 2001 From: Job Snijders Date: Mon, 5 Feb 2024 19:10:11 +0000 Subject: [PATCH] Make sure d2i_X509() consumed all data An artefact of d2i_*() functions is that once they're satisfied, there still might be trailing garbage in the field that's being decoded. Callers of d2i_*() functions generally should conform that all data has been consumed. --- src/asn1/signed_data.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c index d2f85d7a..301ae23d 100644 --- a/src/asn1/signed_data.c +++ b/src/asn1/signed_data.c @@ -58,7 +58,7 @@ static int handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args, OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature) { - const unsigned char *tmp; + const unsigned char *otmp, *tmp; X509 *cert; enum rpki_policy policy; int error; @@ -78,12 +78,16 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args, * pointer. */ tmp = (const unsigned char *) cert_encoded->buf; - + otmp = tmp; cert = d2i_X509(NULL, &tmp, cert_encoded->size); if (cert == NULL) { error = val_crypto_err("Signed object's 'certificate' element does not decode into a Certificate"); goto end1; } + if (tmp != otmp + cert_encoded->size) { + error = val_crypto_err("Signed object's 'certificate' element contains trailing garbage"); + goto end1; + } x509_name_pr_debug("Issuer", X509_get_issuer_name(cert)); -- 2.39.5