From b027e3e7393d4f5fbefe33eb4fff1f2897ad0fca Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Thu, 13 Aug 2009 02:20:23 +0000
Subject: [PATCH] Fix certificateListValidate parsing of CRL extensions Fix
 attributeCertificateValidate

---
 servers/slapd/schema_init.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index bb027823ec..253cf9790e 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -319,10 +319,11 @@ certificateListValidate( Syntax *syntax, struct berval *in )
 			tag = ber_skip_tag( ber, &len );
 		}
 	}
-	/* Optional Extensions */
+	/* Optional Extensions - Sequence of Sequence */
 	if ( tag == SLAP_X509_OPT_CL_CRLEXTENSIONS ) { /* ? */
+		ber_len_t seqlen;
 		if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
-		tag = ber_skip_tag( ber, &len );
+		tag = ber_peek_tag( ber, &seqlen );
 		if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
 		ber_skip_data( ber, len );
 		tag = ber_skip_tag( ber, &len );
@@ -388,7 +389,7 @@ attributeCertificateValidate( Syntax *syntax, struct berval *in )
 	if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
 	ber_skip_data( ber, len );
 
-	ber_peek_tag( ber, &len );
+	tag = ber_peek_tag( ber, &len );
 
 	if ( tag == LBER_BITSTRING ) {	/* issuerUniqueID */
 		tag = ber_skip_tag( ber, &len );
-- 
2.39.5