From: Martin Ukrop <mukrop@redhat.com>
Date: Wed, 27 Jul 2016 13:41:08 +0000 (+0200)
Subject: x059: Fix asymmetry in name constraints intersection
X-Git-Tag: gnutls_3_5_3~30
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca573d65;p=thirdparty%2Fgnutls.git

x059: Fix asymmetry in name constraints intersection

- In _gnutls_name_constraints_intersect, if *_nc had a node of some type not present in _nc2, this was preserved. However, if it was vice versa (_nc2 having a type not present in *_nc), this node was discarded.
- This is now fixed.
- Removed redundant return value check that was accidentally left when refactoring from set_datum to explicit NULL setting.

Signed-off-by: Martin Ukrop <mukrop@redhat.com>
---

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 2f743a2dd5..1b448a4132 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -156,7 +156,7 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
 					   name_constraints_node_st ** _nc_excluded)
 {
 	name_constraints_node_st *nc, *nc2, *t, *tmp, *dest = NULL, *prev = NULL;
-	int ret, type;
+	int ret, type, used;
 
 	/* temporary array to see, if we need to add universal excluded constraints
 	 * (see phase 3 for details)
@@ -206,11 +206,15 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
 	 * and create intersections of nodes with same type */
 	nc2 = _nc2;
 	while (nc2 != NULL) {
+		// current nc2 node has not yet been used for any intersection
+		// (and is not in DEST either)
+		used = 0;
 		t = nc;
 		while (t != NULL) {
 			// save intersection of name constraints into tmp
 			ret = name_constraints_intersect_nodes(t, nc2, &tmp);
 			if (ret < 0) return gnutls_assert_val(ret);
+			used = 1;
 			// if intersection is not empty
 			if (tmp != NULL) { // intersection for this type is not empty
 				// check bounds
@@ -226,6 +230,22 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
 			}
 			t = t->next;
 		}
+		// if the node from nc2 was not used for intersection, copy it to DEST
+		if (!used) {
+			tmp = gnutls_malloc(sizeof(struct name_constraints_node_st));
+			if (tmp == NULL) {
+				_gnutls_name_constraints_node_free(dest);
+				return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+			}
+			tmp->type = nc2->type;
+			ret = _gnutls_set_datum(&tmp->name, nc2->name.data, nc2->name.size);
+			if (ret < 0) {
+				_gnutls_name_constraints_node_free(dest);
+				return gnutls_assert_val(ret);
+			}
+			tmp->next = dest;
+			dest = tmp;
+		}
 		nc2 = nc2->next;
 	}
 
@@ -250,10 +270,6 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
 		tmp->type = type;
 		tmp->name.data = NULL;
 		tmp->name.size = 0;
-		if (ret < 0) {
-			_gnutls_name_constraints_node_free(tmp);
-			return gnutls_assert_val(ret);
-		}
 		tmp->next = *_nc_excluded;
 		*_nc_excluded = tmp;
 	}