diff options
author | Tim Rühsen <tim.ruehsen@gmx.de> | 2017-08-07 23:04:36 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-09-14 16:45:32 +0200 |
commit | 590a5ad812d30ddbca2b95ddfee1957e686decbd (patch) | |
tree | 0a6e97a9483b1027289e1b14437d2a3713065cf9 | |
parent | 003af2e32d30b4664229d451ec9ebf1fee44f991 (diff) | |
download | gnutls-590a5ad812d30ddbca2b95ddfee1957e686decbd.tar.gz |
Fix memleaks in gnutls_x509_trust_list_add_crls()
This backports the cleanups in gnutls_x509_trust_list_add_crls()
from 3.6.x, and addresses a use-after-free.
Resolves #554
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | lib/x509/verify-high.c | 19 |
2 files changed, 23 insertions, 5 deletions
@@ -5,6 +5,15 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2017 Nikos Mavrogiannopoulos See the end for copying conditions. +* Version 3.5.20 (unreleased) + +** libgnutls: Fixed memory leaks and a double free in gnutls_x509_trust_list_add_crls(); + backported from 3.6.x. + +** API and ABI modifications: +No changes since last version. + + * Version 3.5.19 (released 2018-07-16) ** libgnutls: Backported PKCS#11 module improvements in initialization diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index ec1a52ace8..188c15489b 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -709,6 +709,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, unsigned x, i, j = 0; unsigned int vret = 0; uint32_t hash; + gnutls_x509_crl_t *tmp; /* Probably we can optimize things such as removing duplicates * etc. @@ -734,6 +735,8 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, &vret); if (ret < 0 || vret != 0) { _gnutls_debug_log("CRL verification failed, not adding it\n"); + if (flags & GNUTLS_TL_NO_DUPLICATES) + gnutls_x509_crl_deinit(crl_list[i]); continue; } } @@ -753,22 +756,28 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, } else { /* The new is older, discard it */ gnutls_x509_crl_deinit(crl_list[i]); - continue; + goto next; } } } } - list->node[hash].crls = - gnutls_realloc_fast(list->node[hash].crls, + tmp = + gnutls_realloc(list->node[hash].crls, (list->node[hash].crl_size + 1) * sizeof(list->node[hash]. trusted_cas[0])); - if (list->node[hash].crls == NULL) { + if (tmp == NULL) { + ret = i; gnutls_assert(); - return i; + if (flags & GNUTLS_TL_NO_DUPLICATES) + while (i < crl_size) + gnutls_x509_crl_deinit(crl_list[i++]); + return ret; } + list->node[hash].crls = tmp; + list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; |