x509: parse_tlsfeatures: move limit check at the point of addition

This prevents appending failures when verifying chains on certificates
which use the maximum allowed number of features. Suggested by Tim
Kosse.

diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index 4e9af34bed6ee46f03d7d552a3087d9c25a49966..ab31ac30bd405f60b65cd88f59993c962f82067f 100644 (file)
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -3180,11 +3180,6 @@ static int parse_tlsfeatures(ASN1_TYPE c2, gnutls_x509_tlsfeatures_t f, unsigned
                        return GNUTLS_E_CERTIFICATE_ERROR;
                }
 
-               if (f->size >= sizeof(f->feature)/sizeof(f->feature[0])) {
-                       gnutls_assert();
-                       return GNUTLS_E_INTERNAL_ERROR;
-               }
-
                /* skip duplicates */
                for (j=0;j<f->size;j++) {
                        if (f->feature[j] == feature) {
@@ -3194,6 +3189,11 @@ static int parse_tlsfeatures(ASN1_TYPE c2, gnutls_x509_tlsfeatures_t f, unsigned
                }
 
                if (!skip) {
+                       if (f->size >= sizeof(f->feature)/sizeof(f->feature[0])) {
+                               gnutls_assert();
+                               return GNUTLS_E_INTERNAL_ERROR;
+                       }
+
                        indx = f->size;
                        f->feature[indx] = feature;
                        f->size++;