diff options
author | Kamil Dudka <kdudka@redhat.com> | 2017-07-19 18:02:26 +0200 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2017-07-20 08:09:01 +0200 |
commit | 42a4cd4c78b3feb5ca07286479129116e125a730 (patch) | |
tree | 431c5b0bb5ea8abc2378e4d162adb603823166dc /lib | |
parent | c89eb6d0f87a3620074bc04a6af255e5dc3a523e (diff) | |
download | curl-42a4cd4c78b3feb5ca07286479129116e125a730.tar.gz |
nss: fix a possible use-after-free in SelectClientCert()
... causing a SIGSEGV in showit() in case the handle used to initiate
the connection has already been freed.
This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
Reported-by: Rob Sanders
Bug: https://bugzilla.redhat.com/1436158
Diffstat (limited to 'lib')
-rw-r--r-- | lib/vtls/nss.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index ac3730fdb..d1711d6a1 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -2184,6 +2184,10 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ssize_t rc; + /* The SelectClientCert() hook uses this for infof() and failf() but the + handle stored in nss_setup_connect() could have already been freed. */ + connssl->data = conn->data; + rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT); if(rc < 0) { PRInt32 err = PR_GetError(); @@ -2217,6 +2221,10 @@ static ssize_t nss_recv(struct connectdata *conn, /* connection data */ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ssize_t nread; + /* The SelectClientCert() hook uses this for infof() and failf() but the + handle stored in nss_setup_connect() could have already been freed. */ + connssl->data = conn->data; + nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0, PR_INTERVAL_NO_WAIT); if(nread < 0) { |