cbor: add decode_x5c_array()

Adds explicit checks that the target array is empty when we parse the CBOR map. This triggers a failure for malformed responses with duplicate keys.
Yubico · Feb 8, 2024 · b465d28 · b465d28
1 parent 19d349e
commit b465d28
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/src/cbor.c b/src/cbor.c
@@ -1414,6 +1414,21 @@ decode_x5c(const cbor_item_t *item, void *arg)
 	return (0);
 }
 
+static int
+decode_x5c_array(const cbor_item_t *item, fido_blob_array_t *arr)
+{
+	if (arr->len) {
+		fido_log_debug("%s: dup", __func__);
+		return (-1);
+	}
+	if (cbor_isa_array(item) == false ||
+	    cbor_array_is_definite(item) == false) {
+		fido_log_debug("%s: cbor", __func__);
+		return (-1);
+	}
+	return (cbor_array_iter(item, arr, decode_x5c));
+}
+
 static int
 decode_attstmt_entry(const cbor_item_t *key, const cbor_item_t *val, void *arg)
 {
@@ -1447,9 +1462,7 @@ decode_attstmt_entry(const cbor_item_t *key, const cbor_item_t *val, void *arg)
 			goto out;
 		}
 	} else if (!strcmp(name, "x5c")) {
-		if (cbor_isa_array(val) == false ||
-		    cbor_array_is_definite(val) == false ||
-		    cbor_array_iter(val, &attstmt->x5c, decode_x5c) < 0) {
+		if (decode_x5c_array(val, &attstmt->x5c)) {
 			fido_log_debug("%s: x5c", __func__);
 			goto out;
 		}