From 320a4b59a8959cf81d79a1849de22eaeea0cd02d Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Sat, 28 Mar 2009 18:52:39 +0000
Subject: [PATCH]  - Added input handling for x509parse_crt()  - Prevented
 memory leak by only adding new certificate if needed in x509parse_crt()  -
 Add certificate before parsing if chain is 'full' in x509parse_crt()

---
 library/x509parse.c | 51 +++++++++++++++++++++++++++++++++------------
 1 file changed, 38 insertions(+), 13 deletions(-)

diff --git a/library/x509parse.c b/library/x509parse.c
index 9b68af4ef..25965595a 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -657,9 +657,32 @@ int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen )
 
     crt = chain;
 
-    while( crt->version != 0 )
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( 1 );
+
+    while( crt->version != 0 || crt->next != NULL )
         crt = crt->next;
 
+    /*
+     * Add new certificate on the end of the chain if needed.
+     */
+    if ( crt->next == NULL)
+    {
+        crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
+
+	if( crt->next == NULL )
+	{
+            x509_free( crt );
+	    return( 1 );
+	}
+
+	crt = crt->next;
+	memset( crt, 0, sizeof( x509_cert ) );
+    }
+
     /*
      * check if the certificate is encoded in base64
      */
@@ -942,7 +965,7 @@ int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen )
         return( ret );
     }
 
-    if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, 9 ) != 0 )
+    if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
     {
           x509_free( crt );
         return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@@ -961,19 +984,21 @@ int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen )
                 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
     }
 
-    crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
-
-    if( crt->next == NULL )
-    {
-          x509_free( crt );
-        return( 1 );
-    }
-
-    crt = crt->next;
-    memset( crt, 0, sizeof( x509_cert ) );
-
     if( buflen > 0 )
+    {
+        crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
+
+	if( crt->next == NULL )
+	{
+            x509_free( crt );
+	    return( 1 );
+	}
+
+	crt = crt->next;
+	memset( crt, 0, sizeof( x509_cert ) );
+
         return( x509parse_crt( crt, buf, buflen ) );
+    }
 
     return( 0 );
 }