From 0af25e71ab0a3c24ca57feeb5af42b092c269a64 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 15 Oct 2018 12:13:38 +0100 Subject: [PATCH] Add parentheses about parameter of MBEDTLS_X509_ID_FLAG The `id` parameter of the public `MBEDTLS_X509_ID_FLAG` macro was used in a subtraction without being surrounded by parentheses. Since some operators bind less strongly than subtraction, this could lead to erroneous evaluation of `MBEDTLS_X509_ID_FLAG`. For example, `MBEDTLS_X509_ID_FLAG( 1 << 2 )` would evaluate evaluate to `1 << ( 1 << 2 - 1 ) == 1 << ( 1 << 1 ) == 4` instead of the intended `1 << ( ( 1 << 2 ) - 1 ) == 1 << ( 4 - 1 ) == 8`. This commit fixes this by adding parentheses about the `id` parameter in the definition of `MBEDTLS_X509_ID_FLAG`. --- include/mbedtls/x509_crt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index ac23cffe8..d725e29ea 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -98,7 +98,7 @@ mbedtls_x509_crt; * Build flag from an algorithm/curve identifier (pk, md, ecp) * Since 0 is always XXX_NONE, ignore it. */ -#define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) +#define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( ( id ) - 1 ) ) /** * Security profile for certificate verification.