From 9c29d48725fd40a82407a89f193cf009aeef9745 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 19 May 2014 23:25:38 +0300
Subject: [PATCH] X.509: Fix internal TLS/X.509 validation of PKCS#1 signature

Verify that there is no extra data after the hash field. This is needed
to avoid potential attacks using additional data to construct a value
that passes the RSA operation and allows the hash value to be forged.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/tls/x509v3.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index a9483cb7f..751a268e1 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -1783,6 +1783,15 @@ skip_digest_oid:
 		return -1;
 	}
 
+	if (hdr.payload + hdr.length < data + data_len) {
+		wpa_hexdump(MSG_INFO,
+			    "X509: Extra data after certificate signature hash",
+			    hdr.payload + hdr.length,
+			    data + data_len - hdr.payload - hdr.length);
+		os_free(data);
+		return -1;
+	}
+
 	os_free(data);
 
 	wpa_printf(MSG_DEBUG, "X509: Certificate Digest matches with "