From 9d95c912b5843e664c8210887a6719f02a9028be Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 24 May 2017 10:46:03 +0200 Subject: ext/status_request: ensure response IDs are properly deinitialized That is, do not attempt to loop through the array if there is no array allocated. Signed-off-by: Nikos Mavrogiannopoulos --- lib/ext/status_request.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c index 8cefc617e0..1340dbbb53 100644 --- a/lib/ext/status_request.c +++ b/lib/ext/status_request.c @@ -68,7 +68,10 @@ typedef struct { static void deinit_responder_id(status_request_ext_st *priv) { -unsigned i; + unsigned i; + + if (priv->responder_id == NULL) + return; for (i = 0; i < priv->responder_id_size; i++) gnutls_free(priv->responder_id[i].data); @@ -134,6 +137,7 @@ server_recv(gnutls_session_t session, { size_t i; ssize_t data_size = size; + unsigned responder_ids = 0; /* minimum message is type (1) + responder_id_list (2) + request_extension (2) = 5 */ @@ -152,23 +156,24 @@ server_recv(gnutls_session_t session, DECR_LEN(data_size, 1); data++; - priv->responder_id_size = _gnutls_read_uint16(data); + responder_ids = _gnutls_read_uint16(data); DECR_LEN(data_size, 2); data += 2; - if (data_size <= (ssize_t) (priv->responder_id_size * 2)) + if (data_size <= (ssize_t) (responder_ids * 2)) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - if (priv->responder_id != NULL) - deinit_responder_id(priv); + deinit_responder_id(priv); - priv->responder_id = gnutls_calloc(1, priv->responder_id_size + priv->responder_id = gnutls_calloc(1, responder_ids * sizeof(*priv->responder_id)); if (priv->responder_id == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + priv->responder_id_size = responder_ids; + for (i = 0; i < priv->responder_id_size; i++) { size_t l; -- cgit v1.2.1