x509/pkcs12_bag: fix off-by-one in bag element bounds check

Appending elements to a PKCS#12 bag had a bounds check that
prevented adding the 32nd element.
On the other hand, it is possible to import one that already has 32.
Subsequent appending then led to writing past the 32-element array,
smashing its length.

Tighten the check to reject any bag with 32 or more elements.

We'll treat this vulnerability as a Low due to how contrived
the requirements are: for the code to be vulnerable,
it needs to append to an imported untrusted unencrypted PKCS#12 structure.

Reported-by: Zou Dikai
Fixes: #1840
Fixes: CVE-2026-42015
Fixes: GNUTLS-SA-2026-04-29-11
CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Severity: Low
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
index 911aeff932206338929fc00786b6e4971038843a..38228613cc663d6fdef2e338a0703e5d1d8fe66f 100644 (file)
--- a/lib/x509/pkcs12_bag.c
+++ b/lib/x509/pkcs12_bag.c
@@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag,
                return GNUTLS_E_INVALID_REQUEST;
        }
 
-       if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) {
+       if (bag->bag_elements >= MAX_BAG_ELEMENTS - 1) {
                gnutls_assert();
                /* bag is full */
                return GNUTLS_E_MEMORY_ERROR;