summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Rühsen <tim.ruehsen@gmx.de>2017-08-07 23:04:36 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2018-09-14 16:45:32 +0200
commit590a5ad812d30ddbca2b95ddfee1957e686decbd (patch)
tree0a6e97a9483b1027289e1b14437d2a3713065cf9
parent003af2e32d30b4664229d451ec9ebf1fee44f991 (diff)
downloadgnutls-590a5ad812d30ddbca2b95ddfee1957e686decbd.tar.gz
Fix memleaks in gnutls_x509_trust_list_add_crls()
This backports the cleanups in gnutls_x509_trust_list_add_crls() from 3.6.x, and addresses a use-after-free. Resolves #554 Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
-rw-r--r--NEWS9
-rw-r--r--lib/x509/verify-high.c19
2 files changed, 23 insertions, 5 deletions
diff --git a/NEWS b/NEWS
index f3577be90c..a700211468 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,15 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
See the end for copying conditions.
+* Version 3.5.20 (unreleased)
+
+** libgnutls: Fixed memory leaks and a double free in gnutls_x509_trust_list_add_crls();
+ backported from 3.6.x.
+
+** API and ABI modifications:
+No changes since last version.
+
+
* Version 3.5.19 (released 2018-07-16)
** libgnutls: Backported PKCS#11 module improvements in initialization
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index ec1a52ace8..188c15489b 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -709,6 +709,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list,
unsigned x, i, j = 0;
unsigned int vret = 0;
uint32_t hash;
+ gnutls_x509_crl_t *tmp;
/* Probably we can optimize things such as removing duplicates
* etc.
@@ -734,6 +735,8 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list,
&vret);
if (ret < 0 || vret != 0) {
_gnutls_debug_log("CRL verification failed, not adding it\n");
+ if (flags & GNUTLS_TL_NO_DUPLICATES)
+ gnutls_x509_crl_deinit(crl_list[i]);
continue;
}
}
@@ -753,22 +756,28 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list,
} else {
/* The new is older, discard it */
gnutls_x509_crl_deinit(crl_list[i]);
- continue;
+ goto next;
}
}
}
}
- list->node[hash].crls =
- gnutls_realloc_fast(list->node[hash].crls,
+ tmp =
+ gnutls_realloc(list->node[hash].crls,
(list->node[hash].crl_size +
1) *
sizeof(list->node[hash].
trusted_cas[0]));
- if (list->node[hash].crls == NULL) {
+ if (tmp == NULL) {
+ ret = i;
gnutls_assert();
- return i;
+ if (flags & GNUTLS_TL_NO_DUPLICATES)
+ while (i < crl_size)
+ gnutls_x509_crl_deinit(crl_list[i++]);
+ return ret;
}
+ list->node[hash].crls = tmp;
+
list->node[hash].crls[list->node[hash].crl_size] =
crl_list[i];