diff options
| author | Tim Rühsen <tim.ruehsen@gmx.de> | 2017-08-07 23:04:36 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-09-14 16:54:49 +0200 |
| commit | 3eadac1b860034477745ed34ef84579a8dde762a (patch) | |
| tree | 752fc31a2e61e94f685d4c24aa43089f8057b04a | |
| parent | 4a4b65c75717bb06ff95439f7f5a69a84a67f543 (diff) | |
| download | gnutls-tmp-fix-3.3.tar.gz | |
Fix memleaks in gnutls_x509_trust_list_add_crls()tmp-fix-3.3
This backports the cleanups in gnutls_x509_trust_list_add_crls()
from 3.6.x, and addresses a use-after-free.
Relates #554
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| -rw-r--r-- | NEWS | 9 | ||||
| -rw-r--r-- | lib/x509/verify-high.c | 19 |
2 files changed, 23 insertions, 5 deletions
@@ -3,6 +3,15 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2016 Nikos Mavrogiannopoulos See the end for copying conditions. +* Version 3.3.31 (unreleased) + +** libgnutls: Fixed memory leaks and a double free in gnutls_x509_trust_list_add_crls(); + backported from 3.6.x. + +** API and ABI modifications: +No changes since last version. + + * Version 3.3.30 (released 2018-07-16) ** libgnutls: Corrected infinite loop when an incorrect PIN was provided diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index b4bec35bd5..5229ba445a 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -508,6 +508,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, unsigned x; unsigned int vret = 0; uint32_t hash; + gnutls_x509_crl_t *tmp; /* Probably we can optimize things such as removing duplicates * etc. @@ -533,6 +534,8 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, &vret); if (ret < 0 || vret != 0) { _gnutls_debug_log("CRL verification failed, not adding it\n"); + if (flags & GNUTLS_TL_NO_DUPLICATES) + gnutls_x509_crl_deinit(crl_list[i]); continue; } } @@ -552,22 +555,28 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, } else { /* The new is older, discard it */ gnutls_x509_crl_deinit(crl_list[i]); - continue; + goto next; } } } } - list->node[hash].crls = - gnutls_realloc_fast(list->node[hash].crls, + tmp = + gnutls_realloc(list->node[hash].crls, (list->node[hash].crl_size + 1) * sizeof(list->node[hash]. trusted_cas[0])); - if (list->node[hash].crls == NULL) { + if (tmp == NULL) { + ret = i; gnutls_assert(); - return i; + if (flags & GNUTLS_TL_NO_DUPLICATES) + while (i < crl_size) + gnutls_x509_crl_deinit(crl_list[i++]); + return ret; } + list->node[hash].crls = tmp; + list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; |