1
0
mirror of https://github.com/golang/go synced 2024-11-25 06:57:58 -07:00

update parseCertificate() to guarantee version cannot be negative

After the call to ReadOptionalASN1Integer() Version can be really large (e.g., 2,147,483,647) when performing the Version++ on line 823. In that case it would then wrap, leading to a negative Version, which will pass the version check on line 824. 

This change adds a check to make sure Version is reasonable prior to the increment, thereby guaranteeing it will not wrap.
This commit is contained in:
Ilja van Sprundel 2022-08-30 23:43:18 +02:00 committed by GitHub
parent bd56cb90a7
commit 88ee127097
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -815,7 +815,7 @@ func parseCertificate(der []byte) (*Certificate, error) {
if !tbs.ReadOptionalASN1Integer(&cert.Version, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific(), 0) {
return nil, errors.New("x509: malformed version")
}
if cert.Version < 0 {
if cert.Version < 0 || cert.Version > 3 {
return nil, errors.New("x509: malformed version")
}
// for backwards compat reasons Version is one-indexed,