From e04f45d0283a80c990a9e1d7537ab871b769fdaf Mon Sep 17 00:00:00 2001 From: Dmitry Baryshkov Date: Tue, 10 Mar 2020 12:12:36 +0300 Subject: x509: drop endless loop in print_extensions If crq is malformed in extensions part, print_extensions() might loop endlessly because gnutls_x509_crq_get_extension_info would return unhandled GNUTLS_ASN1_DER_ERROR looping over extension index, rather than bailing out. Fix this by handling this error code properly. Found thanks to oss-fuzz. Signed-off-by: Dmitry Baryshkov --- .../609921afff38ec5b52feb7e17aa3035bdce0e0d3 | Bin 0 -> 830 bytes lib/x509/output.c | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 diff --git a/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 new file mode 100644 index 0000000000..4fe047d3c3 Binary files /dev/null and b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 differ diff --git a/lib/x509/output.c b/lib/x509/output.c index 2aa78b478b..6f829b06ac 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -1281,12 +1281,12 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type, return; } + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; if (err < 0) { - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; addf(str, "error: get_extension_info: %s\n", gnutls_strerror(err)); - continue; + break; } if (i == 0) -- cgit v1.2.1