From 61f4fc24a94591f05e78755f00a702af3d45d717 Mon Sep 17 00:00:00 2001
From: Jonathan Winzig <jwinzig@hilscher.com>
Date: Wed, 10 Jan 2024 13:26:12 +0100
Subject: [PATCH 1/2] Add tests for Issue #8687

Signed-off-by: Jonathan Winzig <jwinzig@hilscher.com>
---
 tests/suites/test_suite_x509write.data     |  3 +++
 tests/suites/test_suite_x509write.function | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 999c05f1c..6bb81c7e7 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -138,3 +138,6 @@ mbedtls_x509_string_to_names:"ABC123":"":MBEDTLS_ERR_X509_INVALID_NAME
 
 Check max serial length
 x509_set_serial_check:
+
+Check max extension length
+x509_set_extension_length_check:
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 90c2192ed..3bff94365 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -499,3 +499,24 @@ exit:
     USE_PSA_DONE();
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_WRITE_C */
+void x509_set_extension_length_check()
+{
+    int ret = 0;
+
+    mbedtls_x509write_csr ctx;
+    mbedtls_x509write_csr_init(&ctx);
+
+    unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 };
+    unsigned char *p = buf + sizeof(buf);
+
+    ret = mbedtls_x509_set_extension(&(ctx.extensions),
+                                     MBEDTLS_OID_EXTENDED_KEY_USAGE,
+                                     MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE),
+                                     0,
+                                     p,
+                                     SIZE_MAX);
+    TEST_ASSERT(MBEDTLS_ERR_X509_BAD_INPUT_DATA == ret);
+}
+/* END_CASE */

From a836a8499e0fc620358dddfd0ce1de95522460c1 Mon Sep 17 00:00:00 2001
From: Jonathan Winzig <jwinzig@hilscher.com>
Date: Wed, 10 Jan 2024 13:26:36 +0100
Subject: [PATCH 2/2] Fix Issue #8687

Signed-off-by: Jonathan Winzig <jwinzig@hilscher.com>
---
 library/x509_create.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/x509_create.c b/library/x509_create.c
index 73789dad5..4ffd3b6a8 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -195,6 +195,10 @@ int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid,
 {
     mbedtls_asn1_named_data *cur;
 
+    if (val_len > (SIZE_MAX  - 1)) {
+        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+    }
+
     if ((cur = mbedtls_asn1_store_named_data(head, oid, oid_len,
                                              NULL, val_len + 1)) == NULL) {
         return MBEDTLS_ERR_X509_ALLOC_FAILED;