From fd4dfa08b809602dd2499667e71a7b4606b4120f Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Wed, 14 Apr 2010 20:12:15 +0000
Subject: [PATCH] ITS#6466

---
 CHANGES                     | 1 +
 servers/slapd/schema_init.c | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 15d4896d1c..bcb099b4db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.22 Engineering
 	Added slapd SLAP_SCHEMA_EXPOSE flag for hidden schema elements (ITS#6435)
+	Fixed slapd certificateListValidate (ITS#6466)
 	Fixed slapd REP_ENTRY flag handling (ITS#5340)
 	Fixed slapd sasl auxprop_lookup (ITS#6441)
 	Fixed slapo-collect REP_ENTRY flag handling (ITS#5340,ITS#6423)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 9275d039a0..dc7fb9c583 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -326,9 +326,12 @@ certificateListValidate( Syntax *syntax, struct berval *in )
 	/* revokedCertificates - Sequence of Sequence, Optional */
 	if ( tag == LBER_SEQUENCE ) {
 		ber_len_t seqlen;
-		if ( ber_peek_tag( ber, &seqlen ) == LBER_SEQUENCE ) {
-			/* Should NOT be empty */
-			ber_skip_data( ber, len );
+		ber_tag_t stag;
+		stag = ber_peek_tag( ber, &seqlen );
+		if ( stag == LBER_SEQUENCE || !len ) {
+			/* RFC5280 requires non-empty, but X.509(2005) allows empty. */
+			if ( len )
+				ber_skip_data( ber, len );
 			tag = ber_skip_tag( ber, &len );
 		}
 	}
-- 
GitLab