From 4a8b8c4e09103360c9f723579459c8635717bd27 Mon Sep 17 00:00:00 2001
From: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Date: Mon, 19 Feb 2024 12:55:06 +0100
Subject: [PATCH] Fix a memory bug in ldap's ParseDN function by disabling part
 of the functionality

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
---
 pkg/util/pki/parse_test.go | 9 +++++++++
 pkg/util/pki/subject.go    | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/pkg/util/pki/parse_test.go b/pkg/util/pki/parse_test.go
index a219564c4..81d03e611 100644
--- a/pkg/util/pki/parse_test.go
+++ b/pkg/util/pki/parse_test.go
@@ -268,3 +268,12 @@ func TestMustKeepOrderInRawDerBytes(t *testing.T) {
 	assert.Equal(t, expectedRdnSeq, rdnSeq)
 	assert.Equal(t, subject, rdnSeq.String())
 }
+
+func TestShouldFailForHexDER(t *testing.T) {
+	_, err := ParseSubjectStringToRawDERBytes("DF=#6666666666665006838820013100000746939546349182108463491821809FBFFFFFFFFF")
+	if err == nil {
+		t.Fatal("expected error, but got none")
+	}
+
+	assert.Contains(t, err.Error(), "unsupported distinguished name (DN) \"DF=#6666666666665006838820013100000746939546349182108463491821809FBFFFFFFFFF\": notation does not support x509.subject identities containing \"=#\"")
+}
diff --git a/pkg/util/pki/subject.go b/pkg/util/pki/subject.go
index bf94e637c..b00b9f499 100644
--- a/pkg/util/pki/subject.go
+++ b/pkg/util/pki/subject.go
@@ -21,6 +21,8 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
+	"fmt"
+	"strings"
 
 	"github.com/go-ldap/ldap/v3"
 )
@@ -66,6 +68,10 @@ var attributeTypeNames = map[string][]int{
 }
 
 func UnmarshalSubjectStringToRDNSequence(subject string) (pkix.RDNSequence, error) {
+	if strings.Contains(subject, "=#") {
+		return nil, fmt.Errorf("unsupported distinguished name (DN) %q: notation does not support x509.subject identities containing \"=#\"", subject)
+	}
+
 	dns, err := ldap.ParseDN(subject)
 	if err != nil {
 		return nil, err