fix(auth): forbid junk after extensions

The extensions must use all remaining bytes in the TBSCertificate.

Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 49bc008ed19f825bb365a8e9ad81872685683cf1..8c78003bb2399a06887a026160d67ac026598aaf 100644 (file)
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -304,24 +304,26 @@ static int cert_parse(void *img, unsigned int img_len)
 
        /*
         * extensions      [3]  EXPLICIT Extensions OPTIONAL
+        * -- must use all remaining bytes in TBSCertificate
         */
        ret = mbedtls_asn1_get_tag(&p, end, &len,
                                   MBEDTLS_ASN1_CONTEXT_SPECIFIC |
                                   MBEDTLS_ASN1_CONSTRUCTED | 3);
-       if (ret != 0) {
+       if ((ret != 0) || (len != (size_t)(end - p))) {
                return IMG_PARSER_ERR_FORMAT;
        }
 
        /*
         * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+        * -- must use all remaining bytes in TBSCertificate
         */
        v3_ext.p = p;
        ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
                                   MBEDTLS_ASN1_SEQUENCE);
-       if (ret != 0) {
+       if ((ret != 0) || (len != (size_t)(end - p))) {
                return IMG_PARSER_ERR_FORMAT;
        }
-       v3_ext.len = (p + len) - v3_ext.p;
+       v3_ext.len = end - v3_ext.p;
 
        /*
         * Check extensions integrity