From ca573d65b73b16f1d7228000e386e5f3649442b8 Mon Sep 17 00:00:00 2001 From: Martin Ukrop Date: Wed, 27 Jul 2016 15:41:08 +0200 Subject: [PATCH] x059: Fix asymmetry in name constraints intersection - In _gnutls_name_constraints_intersect, if *_nc had a node of some type not present in _nc2, this was preserved. However, if it was vice versa (_nc2 having a type not present in *_nc), this node was discarded. - This is now fixed. - Removed redundant return value check that was accidentally left when refactoring from set_datum to explicit NULL setting. Signed-off-by: Martin Ukrop --- lib/x509/name_constraints.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index 2f743a2dd5..1b448a4132 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -156,7 +156,7 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, name_constraints_node_st ** _nc_excluded) { name_constraints_node_st *nc, *nc2, *t, *tmp, *dest = NULL, *prev = NULL; - int ret, type; + int ret, type, used; /* temporary array to see, if we need to add universal excluded constraints * (see phase 3 for details) @@ -206,11 +206,15 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, * and create intersections of nodes with same type */ nc2 = _nc2; while (nc2 != NULL) { + // current nc2 node has not yet been used for any intersection + // (and is not in DEST either) + used = 0; t = nc; while (t != NULL) { // save intersection of name constraints into tmp ret = name_constraints_intersect_nodes(t, nc2, &tmp); if (ret < 0) return gnutls_assert_val(ret); + used = 1; // if intersection is not empty if (tmp != NULL) { // intersection for this type is not empty // check bounds @@ -226,6 +230,22 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, } t = t->next; } + // if the node from nc2 was not used for intersection, copy it to DEST + if (!used) { + tmp = gnutls_malloc(sizeof(struct name_constraints_node_st)); + if (tmp == NULL) { + _gnutls_name_constraints_node_free(dest); + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + } + tmp->type = nc2->type; + ret = _gnutls_set_datum(&tmp->name, nc2->name.data, nc2->name.size); + if (ret < 0) { + _gnutls_name_constraints_node_free(dest); + return gnutls_assert_val(ret); + } + tmp->next = dest; + dest = tmp; + } nc2 = nc2->next; } @@ -250,10 +270,6 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, tmp->type = type; tmp->name.data = NULL; tmp->name.size = 0; - if (ret < 0) { - _gnutls_name_constraints_node_free(tmp); - return gnutls_assert_val(ret); - } tmp->next = *_nc_excluded; *_nc_excluded = tmp; } -- 2.47.3