Reject trailing data in ClientHello and EncryptedExtensions trust_anchors

Bug: 505803427
Change-Id: Ia88e6a12de7ceefad686336272447789b4ecffe3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/93969
Reviewed-by: Lily Chen <chlily@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Commit-Queue: Lily Chen <chlily@google.com>

ssl/extensions.cc

diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index 640001a..7a93e93 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@@ -2865,7 +2865,8 @@
 
   CBS child;
   if (!CBS_get_u16_length_prefixed(contents, &child) ||
-      !ssl_is_valid_trust_anchor_list(child)) {
+      !ssl_is_valid_trust_anchor_list(child) ||  //
+      CBS_len(contents) != 0) {
     *out_alert = SSL_AD_DECODE_ERROR;
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     return false;
@@ -2937,8 +2938,9 @@
   CBS child;
   if (!CBS_get_u16_length_prefixed(contents, &child) ||
       // The list of available trust anchors may not be empty.
-      CBS_len(&child) == 0 ||  //
-      !ssl_is_valid_trust_anchor_list(child)) {
+      CBS_len(&child) == 0 ||                    //
+      !ssl_is_valid_trust_anchor_list(child) ||  //
+      CBS_len(contents) != 0) {
     *out_alert = SSL_AD_DECODE_ERROR;
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     return false;

ssl/test/runner/extension_tests.go

diff --git a/ssl/test/runner/extension_tests.go b/ssl/test/runner/extension_tests.go
index 1d39e5d..ab9b0b0 100644
--- a/ssl/test/runner/extension_tests.go
+++ b/ssl/test/runner/extension_tests.go
@@ -2501,6 +2501,54 @@
 					expectedError:      ":ERROR_PARSING_EXTENSION:",
 					expectedLocalError: "remote error: error decoding message",
 				})
+
+				testCases = append(testCases, testCase{
+					protocol: protocol,
+					testType: clientTest,
+					name:     "ExtensionTrailingData-TrustAnchors-EncryptedExtensions-Client-" + suffix,
+					config: Config{
+						MaxVersion:            ver.version,
+						AvailableTrustAnchors: [][]byte{{1}},
+						Bugs: ProtocolBugs{
+							ExtensionsWithTrailingData: []uint16{extensionTrustAnchors},
+						},
+					},
+					flags:              []string{"-requested-trust-anchors", trustAnchorListFlagValue([]byte{2})},
+					shouldFail:         true,
+					expectedError:      ":ERROR_PARSING_EXTENSION:",
+					expectedLocalError: "remote error: error decoding message",
+				})
+				testCases = append(testCases, testCase{
+					protocol: protocol,
+					testType: clientTest,
+					name:     "ExtensionTrailingData-TrustAnchors-Certificate-Client-" + suffix,
+					config: Config{
+						MaxVersion: ver.version,
+						Bugs: ProtocolBugs{
+							AlwaysMatchTrustAnchorID:   true,
+							ExtensionsWithTrailingData: []uint16{extensionTrustAnchors},
+						},
+					},
+					flags:              []string{"-requested-trust-anchors", trustAnchorListFlagValue([]byte{2})},
+					shouldFail:         true,
+					expectedError:      ":ERROR_PARSING_EXTENSION:",
+					expectedLocalError: "remote error: error decoding message",
+				})
+				testCases = append(testCases, testCase{
+					protocol: protocol,
+					testType: serverTest,
+					name:     "ExtensionTrailingData-TrustAnchors-ClientHello-Server-" + suffix,
+					config: Config{
+						MaxVersion:          ver.version,
+						RequestTrustAnchors: [][]byte{{1}},
+						Bugs: ProtocolBugs{
+							ExtensionsWithTrailingData: []uint16{extensionTrustAnchors},
+						},
+					},
+					shouldFail:         true,
+					expectedError:      ":ERROR_PARSING_EXTENSION:",
+					expectedLocalError: "remote error: error decoding message",
+				})
 			}
 		}
 	}