Fix memory leak with crafted X.509 certs
diff --git a/ChangeLog b/ChangeLog
index cae2e05..87dc23a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@
* Fix remotely-triggerable uninitialised pointer dereference caused by
crafted X.509 certificate (TLS server is not affected if it doesn't ask
for a client certificate) (found using Codenomicon Defensics).
+ * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
+ (TLS server is not affected if it doesn't ask for a client certificate)
+ (found using Codenomicon Defensics).
Changes
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
diff --git a/library/x509parse.c b/library/x509parse.c
index 806dcea..c00c5db 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -866,6 +866,9 @@
/* Allocate and assign next pointer */
if (*p < end)
{
+ if( cur->next != NULL )
+ return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS );
+
cur->next = (asn1_sequence *) malloc(
sizeof( asn1_sequence ) );
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 756c004..539b03a 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -560,6 +560,9 @@
X509 Certificate ASN1 (ExtKeyUsage, bad second tag)
x509parse_crt:"308201ae308201aaa003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a321301f301d0603551d250416301406082b0601050507030107082b06010505070302":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
+X509 Certificate ASN1 (SubjectAltName repeated)
+x509parse_crt:"308201cd308201c9a003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS
+
X509 Certificate ASN1 (correct pubkey, no sig_alg)
x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":POLARSSL_ERR_X509_CERT_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA