From 98f90f2f596502520f1bd3e959c9978d81c04777 Mon Sep 17 00:00:00 2001
From: Tom Carroll <incentivedesign@gmail.com>
Date: Mon, 17 May 2021 10:08:29 -0700
Subject: [PATCH] Check gnutls_pubkey_init return code.

gnutls_pubkey_import_x509 doesn't verify if pubkey == NULL.

Signed-off-by: Tom Carroll <incentivedesign@gmail.com>
---
 gnutls.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gnutls.c b/gnutls.c
index e2e21334a..9b08047fd 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1583,11 +1583,12 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info *
 
 			/* If extra_certs[] is NULL, we have one candidate in 'cert' to check. */
 			for (j = 0; j < (extra_certs ? nr_extra_certs : 1); j++) {
-				gnutls_pubkey_t pubkey;
+				gnutls_pubkey_t pubkey = NULL;
 
-				gnutls_pubkey_init(&pubkey);
-				err = gnutls_pubkey_import_x509(pubkey, extra_certs ? extra_certs[j] : cert, 0);
-				if (err) {
+				err = gnutls_pubkey_init(&pubkey);
+				if (err >= 0)
+					err = gnutls_pubkey_import_x509(pubkey, extra_certs ? extra_certs[j] : cert, 0);
+				if (err < 0) {
 					vpn_progress(vpninfo, PRG_ERR,
 						     _("Error validating signature against certificate: %s\n"),
 						     gnutls_strerror(err));
-- 
GitLab