TLS: Fix X.509v3 BasicConstraints parsing

Handling of the optional pathLenConstraint after cA was not done
properly. The position after cA needs to be compared to the end of the
SEQUENCE, not the end of the available buffer, to determine whether the
optional pathLenConstraint is present. In addition, when parsing
pathLenConstraint, the length of the remaining buffer was calculated
incorrectly by not subtracting the length of the header fields needed
for cA. This could result in reading couple of octets beyond the end of
the buffer before rejecting the ASN.1 data as invalid.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15408
Signed-off-by: Jouni Malinen <j@w1.fi>

src/tls/x509v3.c

@@ -815,6 +815,7 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
 	struct asn1_hdr hdr;
 	unsigned long value;
 	size_t left;
+	const u8 *end_seq;
 
 	/*
 	 * BasicConstraints ::= SEQUENCE {
@@ -836,6 +837,7 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
 	if (hdr.length == 0)
 		return 0;
 
+	end_seq = hdr.payload + hdr.length;
 	if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
 	    hdr.class != ASN1_CLASS_UNIVERSAL) {
 		wpa_printf(MSG_DEBUG, "X509: Failed to parse "
@@ -852,14 +854,14 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
 		}
 		cert->ca = hdr.payload[0];
 
-		if (hdr.length == pos + len - hdr.payload) {
+		pos = hdr.payload + hdr.length;
+		if (pos >= end_seq) {
+			/* No optional pathLenConstraint */
 			wpa_printf(MSG_DEBUG, "X509: BasicConstraints - cA=%d",
 				   cert->ca);
 			return 0;
 		}
-
-		if (asn1_get_next(hdr.payload + hdr.length, len - hdr.length,
-				  &hdr) < 0 ||
+		if (asn1_get_next(pos, end_seq - pos, &hdr) < 0 ||
 		    hdr.class != ASN1_CLASS_UNIVERSAL) {
 			wpa_printf(MSG_DEBUG, "X509: Failed to parse "
 				   "BasicConstraints");