From 2e2d5c84e840eb31acf9ef1db73ccf7eca220910 Mon Sep 17 00:00:00 2001
From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
Date: Tue, 6 Feb 2024 15:24:29 +0100
Subject: [PATCH] cbor: add decode_x5c_array()

Adds explicit checks that the target array is empty when we parse the
CBOR map. This triggers a failure for malformed responses with duplicate
keys.
---
 src/cbor.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/cbor.c b/src/cbor.c
index cd809f8c..52d13e4e 100644
--- a/src/cbor.c
+++ b/src/cbor.c
@@ -1414,6 +1414,21 @@ decode_x5c(const cbor_item_t *item, void *arg)
 	return (0);
 }
 
+static int
+decode_x5c_array(const cbor_item_t *item, fido_blob_array_t *arr)
+{
+	if (arr->len) {
+		fido_log_debug("%s: dup", __func__);
+		return (-1);
+	}
+	if (cbor_isa_array(item) == false ||
+	    cbor_array_is_definite(item) == false) {
+		fido_log_debug("%s: cbor", __func__);
+		return (-1);
+	}
+	return (cbor_array_iter(item, arr, decode_x5c));
+}
+
 static int
 decode_attstmt_entry(const cbor_item_t *key, const cbor_item_t *val, void *arg)
 {
@@ -1447,9 +1462,7 @@ decode_attstmt_entry(const cbor_item_t *key, const cbor_item_t *val, void *arg)
 			goto out;
 		}
 	} else if (!strcmp(name, "x5c")) {
-		if (cbor_isa_array(val) == false ||
-		    cbor_array_is_definite(val) == false ||
-		    cbor_array_iter(val, &attstmt->x5c, decode_x5c) < 0) {
+		if (decode_x5c_array(val, &attstmt->x5c)) {
 			fido_log_debug("%s: x5c", __func__);
 			goto out;
 		}