fix(auth): forbid junk after extensions

The extensions must use all remaining bytes in the TBSCertificate. Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92 Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2025-04-19 02:54:24 +00:00 · 2022-12-08 15:23:56 -05:00 · 2022-12-08 15:23:56 -05:00 · fd37982a19
commit fd37982a19
parent e9e4a2a6fd
1 changed files with 5 additions and 3 deletions
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@ -304,24 +304,26 @@ static int cert_parse(void *img, unsigned int img_len)

 	/*
 	 * extensions      [3]  EXPLICIT Extensions OPTIONAL
+	 * -- must use all remaining bytes in TBSCertificate
 	 */
 	ret = mbedtls_asn1_get_tag(&p, end, &len,
 				   MBEDTLS_ASN1_CONTEXT_SPECIFIC |
 				   MBEDTLS_ASN1_CONSTRUCTED | 3);
-	if (ret != 0) {
+	if ((ret != 0) || (len != (size_t)(end - p))) {
 		return IMG_PARSER_ERR_FORMAT;
 	}

 	/*
 	 * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+	 * -- must use all remaining bytes in TBSCertificate
 	 */
 	v3_ext.p = p;
 	ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
 				   MBEDTLS_ASN1_SEQUENCE);
-	if (ret != 0) {
+	if ((ret != 0) || (len != (size_t)(end - p))) {
 		return IMG_PARSER_ERR_FORMAT;
 	}
-	v3_ext.len = (p + len) - v3_ext.p;
+	v3_ext.len = end - v3_ext.p;

 	/*
 	 * Check extensions integrity