Check gnutls_pubkey_init return code.

gnutls_pubkey_import_x509 doesn't verify if pubkey == NULL.

Signed-off-by: Tom Carroll <incentivedesign@gmail.com>

diff --git a/gnutls.c b/gnutls.c
index e2e21334a4dde449deb72a13e091338de1f729b8..9b08047fdc02174a62b9f5c4ee1445dd46a53d2b 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -1583,11 +1583,12 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info *
 
                        /* If extra_certs[] is NULL, we have one candidate in 'cert' to check. */
                        for (j = 0; j < (extra_certs ? nr_extra_certs : 1); j++) {
-                               gnutls_pubkey_t pubkey;
+                               gnutls_pubkey_t pubkey = NULL;
 
-                               gnutls_pubkey_init(&pubkey);
-                               err = gnutls_pubkey_import_x509(pubkey, extra_certs ? extra_certs[j] : cert, 0);
-                               if (err) {
+                               err = gnutls_pubkey_init(&pubkey);
+                               if (err >= 0)
+                                       err = gnutls_pubkey_import_x509(pubkey, extra_certs ? extra_certs[j] : cert, 0);
+                               if (err < 0) {
                                        vpn_progress(vpninfo, PRG_ERR,
                                                     _("Error validating signature against certificate: %s\n"),
                                                     gnutls_strerror(err));