x509: drop endless loop in print_extensions

If crq is malformed in extensions part, print_extensions() might loop
endlessly because gnutls_x509_crq_get_extension_info would return
unhandled GNUTLS_ASN1_DER_ERROR looping over extension index, rather
than bailing out. Fix this by handling this error code properly. Found
thanks to oss-fuzz.

Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

diff --git a/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3
new file mode 100644 (file)
index 0000000..4fe047d
Binary files /dev/null and b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 differ

diff --git a/lib/x509/output.c b/lib/x509/output.c
index 2aa78b478ba0da10fa95321251238de9a1f4a25c..6f829b06acf45ff9619ff1241ab279b4537e8a82 100644 (file)
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -1281,12 +1281,12 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type,
                        return;
                }
 
+               if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+                       break;
                if (err < 0) {
-                       if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-                               break;
                        addf(str, "error: get_extension_info: %s\n",
                             gnutls_strerror(err));
-                       continue;
+                       break;
                }
 
                if (i == 0)