[ipxe-devel] [PATCH v2 1/2] [crypto] Fail fast if cross-certificate source is empty

Ladi Prosek lprosek at redhat.com
Wed Sep 20 09:52:16 UTC 2017


In fully self-contained deployments it may be desirable to build iPXE
with an empty CROSSCERT source to avoid talking to external services.
This commit adds an explicit check for such a case and makes
validator_start_download fail immediately if the base URI is empty.

Signed-off-by: Ladi Prosek <lprosek at redhat.com>
---
 src/net/validator.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/net/validator.c b/src/net/validator.c
index 52845b6e..069ba0c8 100644
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -240,6 +240,11 @@ static int validator_start_download ( struct validator *validator,
 	fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
 	crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
 
+	if ( ! *crosscert ) {
+		rc = -EINVAL;
+		goto err_check_uri_string;
+	}
+
 	/* Allocate URI string */
 	uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
 			   + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
@@ -276,6 +281,7 @@ static int validator_start_download ( struct validator *validator,
 
  err_open_uri_string:
 	free ( uri_string );
+ err_check_uri_string:
  err_alloc_uri_string:
 	free ( crosscert_copy );
 	return rc;
-- 
2.13.5




More information about the ipxe-devel mailing list