x509: reject zero-length version in certificate request

Ensure zero size asn1 values are considered invalid in
gnutls_x509_crq_get_version, this ensures crq version is not used
uninitialized. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42536706

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/fuzz/gnutls_x509_crq_parser_fuzzer.repro/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
new file mode 100644 (file)
index 0000000..23ff09c
Binary files /dev/null and b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 differ

diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index dfa0fa877879a2cba10b406c05bae364fabc2f65..5b9972e31c104d026dc51c0c069fd029c21f8bd0 100644 (file)
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -615,6 +615,13 @@ int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq)
                return _gnutls_asn2err(result);
        }
 
+       /* Note that asn1_read_value can return success with */
+       /* len set to zero (without setting the data) in some */
+       /* conditions. */
+       if (unlikely(len <= 0)) {
+               return gnutls_assert_val(GNUTLS_E_ASN1_VALUE_NOT_VALID);
+       }
+
        return (int)version[0] + 1;
 }