From f21b5d4e6628370e1400d9503ee243f5150b5cea Mon Sep 17 00:00:00 2001 From: Joshua Rogers Date: Tue, 19 May 2026 16:16:12 +0200 Subject: [PATCH] gtls: fix ignored return and uninitialized status in OCSP check gnutls_ocsp_resp_get_single() was called with (void) discarding its return value, so a failure (e.g. an OCSP response with no SingleResponse entries) went undetected. The following switch() then read an uninitialized gnutls_ocsp_cert_status_t, which is undefined behaviour and could yield GNUTLS_OCSP_CERT_GOOD (0) depending on stack contents, causing gtls_verify_ocsp_status to return CURLE_OK for a response that was never successfully parsed. Fix by initializing status to GNUTLS_OCSP_CERT_UNKNOWN and treating a negative return from gnutls_ocsp_resp_get_single as an error. Closes #21679 --- lib/vtls/gtls.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 22001c3391..d0b851e0eb 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -1429,7 +1429,7 @@ static CURLcode gtls_verify_ocsp_status(struct Curl_easy *data, { gnutls_ocsp_resp_t ocsp_resp = NULL; gnutls_datum_t status_request; - gnutls_ocsp_cert_status_t status; + gnutls_ocsp_cert_status_t status = GNUTLS_OCSP_CERT_UNKNOWN; gnutls_x509_crl_reason_t reason; CURLcode result = CURLE_OK; int rc; @@ -1461,8 +1461,13 @@ static CURLcode gtls_verify_ocsp_status(struct Curl_easy *data, goto out; } - (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, - &status, NULL, NULL, NULL, &reason); + rc = gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, + &status, NULL, NULL, NULL, &reason); + if(rc < 0) { + failf(data, "Invalid OCSP response received"); + result = CURLE_SSL_INVALIDCERTSTATUS; + goto out; + } switch(status) { case GNUTLS_OCSP_CERT_GOOD: