summaryrefslogtreecommitdiff
path: root/lib/libtls/tls_verify.c
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2023-05-05 14:05:34 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2023-05-05 14:05:34 +0000
commit4c8b1bd7c95b8c9ad74cf890d29d2feabcb5eb3c (patch)
tree55e34cd8c2e77e951cf6b98e9f6d845d7d1fdad7 /lib/libtls/tls_verify.c
parenteb2e2c31677c2e6a97b691d677e1ef806ad1c8c5 (diff)
Fix error handling in tls_check_common_name()
A calloc failure should be a fatal error, so make it return -1. Also switch the default rv to -1 and distinguish error cases with acceptable situations with goto err/goto done. ok jsing
Diffstat (limited to 'lib/libtls/tls_verify.c')
-rw-r--r--lib/libtls/tls_verify.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index acbe163ffdf..685146a4a9a 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.21 2023/05/05 14:05:33 tb Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
*
@@ -209,7 +209,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
char *common_name = NULL;
union tls_addr addrbuf;
int common_name_len;
- int rv = 0;
+ int rv = -1;
*cn_match = 0;
@@ -223,8 +223,10 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
goto done;
common_name = calloc(common_name_len + 1, 1);
- if (common_name == NULL)
- goto done;
+ if (common_name == NULL) {
+ tls_set_error(ctx, "out of memory");
+ goto err;
+ }
X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
common_name_len + 1);
@@ -235,8 +237,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
tls_set_errorx(ctx, "error verifying name '%s': "
"NUL byte in Common Name field, "
"probably a malicious certificate", name);
- rv = -1;
- goto done;
+ goto err;
}
/*
@@ -254,6 +255,9 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
*cn_match = 1;
done:
+ rv = 0;
+
+ err:
free(common_name);
return rv;
}