diff options
Diffstat (limited to 'libdane/dane.c')
-rw-r--r-- | libdane/dane.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 42c98933a4..d7191de273 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -851,7 +851,7 @@ dane_verify_crt_raw(dane_state_t s, * * Note that this function is designed to be run in addition to * PKIX - certificate chain - verification. To be run independently - * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; + * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; * then the function will check whether the key of the peer matches the * key advertized in the DANE entry. * @@ -946,7 +946,6 @@ dane_verify_session_crt(dane_state_t s, /* this list may be incomplete, try to get the self-signed CA if any */ if (cert_list_size > 0) { - gnutls_datum_t new_cert_list[cert_list_size+1]; gnutls_x509_crt_t crt, ca; gnutls_certificate_credentials_t sc; @@ -987,11 +986,21 @@ dane_verify_session_crt(dane_state_t s, } /* make the new list */ + gnutls_datum_t *new_cert_list; + + new_cert_list = gnutls_malloc((cert_list_size + 1) * sizeof(gnutls_datum_t)); + if (new_cert_list == NULL) { + gnutls_assert(); + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + memcpy(new_cert_list, cert_list, cert_list_size*sizeof(gnutls_datum_t)); ret = gnutls_x509_crt_export2(ca, GNUTLS_X509_FMT_DER, &new_cert_list[cert_list_size]); if (ret < 0) { gnutls_assert(); + free(new_cert_list); gnutls_x509_crt_deinit(crt); goto failsafe; } @@ -1003,6 +1012,7 @@ dane_verify_session_crt(dane_state_t s, gnutls_assert(); } gnutls_free(new_cert_list[cert_list_size].data); + free(new_cert_list); return ret; } |