lib/x509/x509_ext: avoid a heap overread in SCT extension parser

Parsing a specially crafted SCT extension could previously lead to
a short heap overread.
The list-length validation didn't account for the 2-byte length field.

The fix now accounts for the header field length,
ensuring the parsing stays within the buffer.

Fixes: #1822
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index 33a4c913e35abc305cc8dc5b3c9b4dd476f38f6c..f5cabe3b6fbc4bd4641b26bb261d32a11bdbe1d9 100644 (file)
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -3758,13 +3758,13 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext,
        if (retval < 0)
                return gnutls_assert_val(retval);
 
-       if (scts_content.size < 2) {
+       if (scts_content.size < sizeof(uint16_t)) {
                gnutls_free(scts_content.data);
                return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
        }
 
        length = _gnutls_read_uint16(scts_content.data);
-       if (length < 4 || length > scts_content.size) {
+       if (length < 4 || length > scts_content.size - sizeof(uint16_t)) {
                gnutls_free(scts_content.data);
                return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
        }
@@ -3775,12 +3775,12 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext,
                        break;
 
                sct_length = _gnutls_read_uint16(ptr);
-               if (sct_length == 0 || sct_length > length)
-                       break;
-
                ptr += sizeof(uint16_t);
                length -= sizeof(uint16_t);
 
+               if (sct_length == 0 || sct_length > length)
+                       break;
+
                /*
                 * _gnutls_parse_ct_sct() will try to read exactly sct_length bytes,
                 * returning an error if it can't