Check for invalid length in the X.509 version field

If such an invalid length is detected, reject the certificate.
Reported by Hanno Böck.

diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 8e5948becf0f3646983bc57e89a3ea1cf2ccf443..d4df162712297cb45aff63059b3b42f6ba834618 100644 (file)
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -347,7 +347,13 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
        }
 
        /* enforce the rule that only version 3 certificates carry extensions */
-       version = gnutls_x509_crt_get_version(cert);
+       result = gnutls_x509_crt_get_version(cert);
+       if (result < 0) {
+               gnutls_assert();
+               goto cleanup;
+       }
+
+       version = result;
        if (version < 3) {
                gnutls_datum_t exts;
                result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der,
@@ -741,6 +747,9 @@ int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert)
                return _gnutls_asn2err(result);
        }
 
+       if (len == 0)
+               return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
+
        return (int) version[0] + 1;
 }