Fix NameConstraints minimum/maximum parsing for values >= 128#10660
Open
afldl wants to merge 1 commit into
Open
Fix NameConstraints minimum/maximum parsing for values >= 128#10660afldl wants to merge 1 commit into
afldl wants to merge 1 commit into
Conversation
DecodeSubtree() used GetASN_Int8Bit() to decode GeneralSubtree minimum/maximum BaseDistance fields. This function enforces a strict 1-byte DER INTEGER length, so any value >= 128 (which needs 2 bytes with leading-zero sign octet) caused ASN_PARSE_E and d2i_X509() to return NULL. Switch to GetASN_Int16Bit() with word16 variables, matching the pattern already used for BasicConstraints pathLength elsewhere in the same file. The decoded values remain unused by NC matching logic, so this is purely a parsing fix.
|
Can one of the admins verify this patch? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #10659
DecodeSubtree()was usingGetASN_Int8Bit()to decode theGeneralSubtree minimum/maximum BaseDistance fields. That function
rejects any DER INTEGER longer than one byte, so values >= 128
(which need a two-byte encoding with leading zero sign octet)
caused
ASN_PARSE_Eandd2i_X509()to return NULL.Switch to
GetASN_Int16Bit()withword16storage — same patternalready used for
BasicConstraintspathLength elsewhere in thisfile. Four lines changed, no behavioral change beyond fixing the
parse failure.
Tested: