Fix invalid memory read in x509_get_sig()
diff --git a/ChangeLog b/ChangeLog
index d41468f..efc06fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@
Security
* Fix potential invalid memory read in the server, that allows a client to
crash it remotely (found by Caj Larsson).
+ * Fix potential invalid memory read in certificate parsing, that allows a
+ client to crash the server remotely if client authentication is enabled
+ (found using Codenomicon Defensics).
Bugfix
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
diff --git a/library/x509parse.c b/library/x509parse.c
index 3040621..c98145b 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -519,8 +519,7 @@
if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 )
return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE + ret );
-
- if( --len < 1 || *(*p)++ != 0 )
+ if( len-- < 2 || *(*p)++ != 0 )
return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE );
sig->len = len;