Merge pull request #2777 from rgerhards/nsd-gtls-misadressing

nds_gtls: fix regression that could lead to attack (never released)

runtime/nsd_gtls.c

@@ -182,7 +182,6 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
 	gnutls_datum_t data = { NULL, 0 };
 	uchar *keyFile;
 	uchar *certFile;
-	int lenRcvd;
 
 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
 
@@ -202,10 +201,11 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
 
 	/* try load certificate */
 	CHKiRet(readFile(certFile, &data));
-	pThis->nOurCerts=sizeof(pThis->pOurCerts);
-	lenRcvd=gnutls_x509_crt_list_import(pThis->pOurCerts, &pThis->nOurCerts, &data, GNUTLS_X509_FMT_PEM,0);
-	if (lenRcvd<0) {
-		CHKgnutls(lenRcvd);
+	pThis->nOurCerts = sizeof(pThis->pOurCerts) / sizeof(gnutls_x509_crt_t);
+	gnuRet = gnutls_x509_crt_list_import(pThis->pOurCerts, &pThis->nOurCerts,
+		&data, GNUTLS_X509_FMT_PEM,  GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+	if(gnuRet < 0) {
+		ABORTgnutls;
 	}
 	pThis->bOurCertIsInit = 1;
 	free(data.data);