There may be more than one item in the subjectAltName (cropping up

with CACert certificates) so don't require the reported length to be
exactly equal to the length of the data, but accept it if it's <=
the length of the data (i.e. we just use the first alt name).  The
purpose of the check is to make sure we don't try to read beyond the
data we actually have.

ok cloder@ hshoexer@

1 files changed, 7 insertions, 2 deletions

diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index a003d8a395e..b126e7a4f55 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.107 2006/09/19 10:48:41 otto Exp $	 */
+/* $OpenBSD: x509.c,v 1.108 2007/03/03 20:03:03 tom Exp $	 */
 /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $	 */
 
 /*
@@ -1099,7 +1099,12 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
 	sanlen = sandata[3];
 	sandata += 4;
 
-	if (sanlen + 4 != subjectaltname->value->length) {
+	/*
+	 * The test here used to be !=, but some certificates can include
+	 * extra stuff in subjectAltName, so we will just take the first
+	 * salen bytes, and not worry about what follows.
+	 */
+	if (sanlen + 4 > subjectaltname->value->length) {
 		log_print("x509_cert_subjectaltname: subjectaltname invalid "
 		    "length");
 		return 0;