Merge pull request #3192 from AndrzejKurek/max_pathlen_overflow

Guard from undefined behaviour in case of an INT_MAX max_pathlen
2026-04-25 21:18:53 +02:00 · 2020-04-16 16:29:44 +01:00
parent ed9e4779ab 1605074f97
commit 31f4cd9de2
4 changed files with 54 additions and 0 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -524,6 +524,12 @@ static int x509_get_basic_constraints( unsigned char **p,
        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );

+    /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
+     * overflow, which is an undefined behavior. */
+    if( *max_pathlen == INT_MAX )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
    (*max_pathlen)++;

    return( 0 );