always use MAX_CHAIN_DEPTH for args->certs buffer

2021-02-12 15:18:14 +07:00 · 2021-02-12 15:18:14 +07:00 · 0938a0055d
parent 90140fc5a4
commit 0938a0055d
1 changed files with 8 additions and 15 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -10841,21 +10841,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
        #endif

            /* allocate buffer for certs */
-        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-            args->certs = (buffer*)XMALLOC(sizeof(buffer) *
-                    (ssl->verifyDepth + 1), ssl->heap, DYNAMIC_TYPE_DER);
-            if (args->certs == NULL) {
-                ERROR_OUT(MEMORY_E, exit_ppc);
-            }
-            XMEMSET(args->certs, 0, sizeof(buffer) * (ssl->verifyDepth + 1));
-        #else
            args->certs = (buffer*)XMALLOC(sizeof(buffer) * MAX_CHAIN_DEPTH,
                                            ssl->heap, DYNAMIC_TYPE_DER);
            if (args->certs == NULL) {
                ERROR_OUT(MEMORY_E, exit_ppc);
            }
            XMEMSET(args->certs, 0, sizeof(buffer) * MAX_CHAIN_DEPTH);
-        #endif /* OPENSSL_EXTRA */

            /* Certificate List */
            if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) {
@ -10878,10 +10869,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,


            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-                if (args->totalCerts > ssl->verifyDepth) {
+                if (args->totalCerts >= MAX_CHAIN_DEPTH) {
                    ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
                    ret = MAX_CHAIN_ERROR;
-                    break; /* break out to do certificate verify callback */
+                    WOLFSSL_MSG("Too many certs for MAX_CHAIN_DEPTH");
+                    break; /* break out to avoid reading more certs then buffer
+                            * can hold */
                }
            #else
                if (args->totalCerts >= ssl->verifyDepth ||
@ -11122,7 +11115,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                        (void)doCrlLookup;
                    }
            #endif /* HAVE_OCSP || HAVE_CRL */
-#ifdef OPENSSL_EXTRA
+            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                    if (ret == 0 &&
                        /* extend the limit "+1" until reaching
                         * an ultimately trusted issuer.*/
@ -11130,7 +11123,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                        ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
                        ret = MAX_CHAIN_ERROR;
                    }
-#endif
+            #endif
                    /* Do verify callback */
                    ret = DoVerifyCallback(ssl->ctx->cm, ssl, ret, args);
                    if (ssl->options.verifyNone &&