Commit | Line | Data |
---|---|---|
74e2c0e0 MW |
1 | From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 |
2 | From: Daiki Ueno <ueno@gnu.org> | |
3 | Date: Fri, 29 Jan 2021 14:06:23 +0100 | |
4 | Subject: [PATCH 2/2] pre_shared_key: avoid use-after-free around realloc | |
5 | ||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | |
7 | --- | |
8 | lib/ext/pre_shared_key.c | 15 ++++++++++++--- | |
9 | 1 file changed, 12 insertions(+), 3 deletions(-) | |
10 | ||
11 | diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c | |
12 | index a042c6488..380bf39ed 100644 | |
13 | --- a/lib/ext/pre_shared_key.c | |
14 | +++ b/lib/ext/pre_shared_key.c | |
15 | @@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, | |
16 | size_t spos; | |
17 | gnutls_datum_t username = {NULL, 0}; | |
18 | gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; | |
19 | - gnutls_datum_t client_hello; | |
20 | + unsigned client_hello_len; | |
21 | unsigned next_idx; | |
22 | const mac_entry_st *prf_res = NULL; | |
23 | const mac_entry_st *prf_psk = NULL; | |
24 | @@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, | |
25 | assert(extdata->length >= sizeof(mbuffer_st)); | |
26 | assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); | |
27 | ext_offset -= sizeof(mbuffer_st); | |
28 | - client_hello.data = extdata->data+sizeof(mbuffer_st); | |
29 | - client_hello.size = extdata->length-sizeof(mbuffer_st); | |
30 | + client_hello_len = extdata->length-sizeof(mbuffer_st); | |
31 | ||
32 | next_idx = 0; | |
33 | ||
34 | @@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, | |
35 | } | |
36 | ||
37 | if (prf_res && rkey.size > 0) { | |
38 | + gnutls_datum_t client_hello; | |
39 | + | |
40 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | |
41 | + client_hello.size = client_hello_len; | |
42 | + | |
43 | ret = compute_psk_binder(session, prf_res, | |
44 | binders_len, binders_pos, | |
45 | ext_offset, &rkey, &client_hello, 1, | |
46 | @@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, | |
47 | } | |
48 | ||
49 | if (prf_psk && user_key.size > 0 && info) { | |
50 | + gnutls_datum_t client_hello; | |
51 | + | |
52 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | |
53 | + client_hello.size = client_hello_len; | |
54 | + | |
55 | ret = compute_psk_binder(session, prf_psk, | |
56 | binders_len, binders_pos, | |
57 | ext_offset, &user_key, &client_hello, 0, | |
58 | -- | |
59 | 2.30.2 | |
60 |