From b2b45d3f4ade9a84d1a6365a470443155fae0e34 Mon Sep 17 00:00:00 2001
From: toddouska <todd@yassl.com>
Date: Wed, 20 Feb 2013 15:26:22 -0800
Subject: [PATCH] sb fixes for crl and ocsp

---
 ctaocrypt/src/asn.c |  3 ++-
 src/io.c            |  7 ++++++-
 src/ocsp.c          |  4 ++--
 src/ssl.c           | 10 ++++++++--
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c
index fcf812e8f..a99fa607f 100644
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -4295,7 +4295,8 @@ static int DecodeSingleResponse(byte* source,
             break;
         case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED):
             cs->status = CERT_REVOKED;
-            GetLength(source, &idx, &length, size);
+            if (GetLength(source, &idx, &length, size) < 0)
+                return ASN_PARSE_E;
             idx += length;
             break;
         case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN):
diff --git a/src/io.c b/src/io.c
index b55e60fb5..624f5742c 100644
--- a/src/io.c
+++ b/src/io.c
@@ -506,6 +506,10 @@ static INLINE int tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port)
     }
 
     *sockfd = socket(AF_INET_V, SOCK_STREAM, 0);
+    if (*sockfd < 0) {
+        CYASSL_MSG("bad socket fd, out of fds?");
+        return -1;
+    }
     XMEMSET(&addr, 0, sizeof(SOCKADDR_IN_T));
 
     addr.sin_family = AF_INET_V;
@@ -672,7 +676,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz,
                         byte* ocspReqBuf, int ocspReqSz, byte** ocspRespBuf)
 {
     char domainName[80], path[80];
-    int port, httpBufSz, sfd;
+    int port, httpBufSz, sfd = -1;
     int ocspRespSz = 0;
     byte* httpBuf = NULL;
 
@@ -725,6 +729,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz,
         }
     } else {
         CYASSL_MSG("OCSP Responder connection failed");
+        close(sfd);
         return -1;
     }
 
diff --git a/src/ocsp.c b/src/ocsp.c
index c9838b556..6fd3dbe13 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -274,7 +274,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
     }
 
     if (ocsp->useOverrideUrl || cert->extAuthInfo == NULL) {
-        if (ocsp->overrideUrl != NULL) {
+        if (ocsp->overrideUrl[0] != '\0') {
             url = ocsp->overrideUrl;
             urlSz = (int)XSTRLEN(url);
         }
@@ -299,7 +299,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
                                           ocspReqBuf, ocspReqSz, &ocspRespBuf);
     }
 
-    if (result >= 0) {
+    if (result >= 0 && ocspRespBuf) {
         InitOcspResponse(&ocspResponse, certStatus, ocspRespBuf, result);
         OcspResponseDecode(&ocspResponse);
     
diff --git a/src/ssl.c b/src/ssl.c
index 735752d81..c18dce8fc 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -955,7 +955,10 @@ int CyaSSL_Init(void)
             ret = BAD_MUTEX_ERROR;
     }
     if (ret == 0) {
-        LockMutex(&count_mutex);
+        if (LockMutex(&count_mutex) != 0) {
+            CYASSL_MSG("Bad Lock Mutex count");
+            return BAD_MUTEX_ERROR;
+        }
         initRefCount++;
         UnLockMutex(&count_mutex);
     }
@@ -3018,7 +3021,10 @@ int CyaSSL_Cleanup(void)
 
     CYASSL_ENTER("CyaSSL_Cleanup");
 
-    LockMutex(&count_mutex);
+    if (LockMutex(&count_mutex) != 0) {
+        CYASSL_MSG("Bad Lock Mutex count");
+        return BAD_MUTEX_ERROR;
+    }
 
     release = initRefCount-- == 1;
     if (initRefCount < 0)