From 133a6de045ed3d1c56852e453ff9196647fc4470 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 31 Oct 2016 14:21:37 +0100
Subject: x509_dn: forbid non-supported escaped chars on DN encoding

---
 lib/x509/x509_dn.c | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/lib/x509/x509_dn.c b/lib/x509/x509_dn.c
index fc8aeb9c8f..a64ca3ed7f 100644
--- a/lib/x509/x509_dn.c
+++ b/lib/x509/x509_dn.c
@@ -88,15 +88,19 @@ int dn_attr_crt_set(set_dn_func f, void *crt, const gnutls_datum_t * name,
 
 		/* unescape */
 		for (j=i=0;i<tmp.size;i++) {
-			if (1+j!=val->size && val->data[j] == '\\' &&
-			    (val->data[j+1] == ',' || val->data[j+1] == '#' ||
-			     val->data[j+1] == ' ' || val->data[j+1] == '+' ||
-			     val->data[j+1] == '"' || val->data[j+1] == '<' ||
-			     val->data[j+1] == '>' || val->data[j+1] == ';' ||
-			     val->data[j+1] == '\\' || val->data[j+1] == '=')) {
-				tmp.data[i] = val->data[j+1];
-				j+=2;
-				tmp.size--;
+			if (1+j!=val->size && val->data[j] == '\\') {
+				if (val->data[j+1] == ',' || val->data[j+1] == '#' ||
+				    val->data[j+1] == ' ' || val->data[j+1] == '+' ||
+				    val->data[j+1] == '"' || val->data[j+1] == '<' ||
+				    val->data[j+1] == '>' || val->data[j+1] == ';' ||
+				    val->data[j+1] == '\\' || val->data[j+1] == '=') {
+					tmp.data[i] = val->data[j+1];
+					j+=2;
+					tmp.size--;
+				} else {
+					ret = gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+					goto fail;
+				}
 			} else {
 				tmp.data[i] = val->data[j++];
 			}
@@ -105,12 +109,15 @@ int dn_attr_crt_set(set_dn_func f, void *crt, const gnutls_datum_t * name,
 	}
 
 	ret = f(crt, oid, is_raw, tmp.data, tmp.size);
-	gnutls_free(tmp.data);
-
-	if (ret < 0)
-		return gnutls_assert_val(ret);
+	if (ret < 0) {
+		gnutls_assert();
+		goto fail;
+	}
 
-	return 0;
+	ret = 0;
+ fail:
+	gnutls_free(tmp.data);
+	return ret;
 }
 
 static int read_attr_and_val(const char **ptr,
-- 
cgit v1.2.1