Detect absent isCA flags in basic constraints. Detect and reject negative

or too large positive path length constraints in basic constraints.
Bug 221644. r=jpierre.

1 files changed, 11 insertions, 5 deletions

diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c
index fea0e5dc8..f7f893833 100644
--- a/security/nss/lib/certdb/xbsconst.c
+++ b/security/nss/lib/certdb/xbsconst.c
@@ -142,7 +142,9 @@ SECStatus CERT_DecodeBasicConstraintValue
 	if (rv == SECFailure)
 	    break;
 	
-	value->isCA = (PRBool)(*decodeContext.isCA.data);
+	value->isCA = decodeContext.isCA.data 
+	              ? (PRBool)(decodeContext.isCA.data[0] != 0)
+		      : PR_FALSE;
 	if (decodeContext.pathLenConstraint.data == NULL) {
 	    /* if the pathLenConstraint is not encoded, and the current setting
 	      is CA, then the pathLenConstraint should be set to a negative number
@@ -150,10 +152,14 @@ SECStatus CERT_DecodeBasicConstraintValue
 	     */
 	    if (value->isCA)
 		value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
-	}
-	else if (value->isCA)
-	    value->pathLenConstraint = DER_GetUInteger (&decodeContext.pathLenConstraint);
-	else {
+	} else if (value->isCA) {
+	    long len = DER_GetInteger (&decodeContext.pathLenConstraint);
+	    if (len < 0 || len == LONG_MAX) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		GEN_BREAK (SECFailure);
+	    }
+	    value->pathLenConstraint = len;
+	} else {
 	    /* here we get an error where the subject is not a CA, but
 	       the pathLenConstraint is set */
 	    PORT_SetError (SEC_ERROR_BAD_DER);