Fix X.509 SAN parsing

Fixes Mbed-TLS#2838. See the issue description for more information.
hanno-becker · Sep 13, 2019 · 419eb05 · 419eb05
1 parent 4197f0e
commit 419eb05
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/library/x509_crt.c b/library/x509_crt.c
@@ -627,8 +627,6 @@ static int x509_get_subject_alt_name( unsigned char **p,
 {
     int ret;
     size_t len, tag_len;
-    mbedtls_asn1_buf *buf;
-    unsigned char tag;
     mbedtls_asn1_sequence *cur = subject_alt_name;
 
     /* Get main sequence tag */
@@ -643,18 +641,23 @@ static int x509_get_subject_alt_name( unsigned char **p,
     while( *p < end )
     {
         mbedtls_x509_subject_alternative_name dummy_san_buf;
+        mbedtls_x509_buf tmp_san_buf;
         memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) );
 
         if( ( end - *p ) < 1 )
             return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
                     MBEDTLS_ERR_ASN1_OUT_OF_DATA );
 
-        tag = **p;
+        tmp_san_buf.tag = **p;
         (*p)++;
+
         if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
             return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
 
-        if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
+        tmp_san_buf.p = *p;
+        tmp_san_buf.len = tag_len;
+
+        if( ( tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
                 MBEDTLS_ASN1_CONTEXT_SPECIFIC )
         {
             return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
@@ -664,7 +667,7 @@ static int x509_get_subject_alt_name( unsigned char **p,
         /*
          * Check that the SAN are structured correct.
          */
-        ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf );
+        ret = mbedtls_x509_parse_subject_alt_name( &tmp_san_buf, &dummy_san_buf );
         /*
          * In case the extension is malformed, return an error,
          * and clear the allocated sequences.
@@ -700,11 +703,8 @@ static int x509_get_subject_alt_name( unsigned char **p,
             cur = cur->next;
         }
 
-        buf = &(cur->buf);
-        buf->tag = tag;
-        buf->p = *p;
-        buf->len = tag_len;
-        *p += buf->len;
+        cur->buf = tmp_san_buf;
+        *p += tmp_san_buf.len;
     }
 
     /* Set final sequence entry's next pointer to NULL */