From c28475413f82e1f34295d5c039f0c0a4ca2ee526 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 26 Jan 2026 20:14:33 +0100
Subject: [PATCH] x509/name_constraints: reject some malformed domain names

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/c28475413f82e1f34295d5c039f0c0a4ca2ee526]
CVE: CVE-2025-14831
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 lib/x509/name_constraints.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index d07482e3c9..9783d92851 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -159,6 +159,23 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
 			return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR);
 	}
 
+	/* Validate DNS names and email addresses for malformed input */
+	if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) {
+		unsigned int i;
+		if (name->size == 0)
+			return GNUTLS_E_SUCCESS;
+
+		/* reject names with consecutive dots... */
+		for (i = 0; i + 1 < name->size; i++) {
+			if (name->data[i] == '.' && name->data[i + 1] == '.')
+				return gnutls_assert_val(
+					GNUTLS_E_ILLEGAL_PARAMETER);
+		}
+		/* ... or names consisting exclusively of dots */
+		if (name->size == 1 && name->data[0] == '.')
+			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+	}
+
 	return GNUTLS_E_SUCCESS;
 }
 
-- 
GitLab