aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
blob: 8824729d2fa01377a3dd51aafea113ac7f9ce735 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 28 Mar 2015 22:41:03 +0100
Subject: [PATCH] Better fix for the double free in dist point parsing

Fixes CVE-2015-3308
Upstream-Status: Backport

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 lib/x509/x509_ext.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index 2e69ed0..f974b02 100644
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
 	int len, ret;
 	uint8_t reasons[2];
 	unsigned i, type, rflags, j;
-	gnutls_datum_t san;
+	gnutls_datum_t san = {NULL, 0};
 
 	result = asn1_create_element
 	    (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
 
 	i = 0;
 	do {
-		san.data = NULL;
-		san.size = 0;
-
 		snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
 
 		len = sizeof(reasons);
@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
 
 		j = 0;
 		do {
+			san.data = NULL;
+			san.size = 0;
+
 			ret =
 			    _gnutls_parse_general_name2(c2, name, j, &san,
 							&type, 0);
@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
 			ret = crl_dist_points_set(cdp, type, &san, rflags);
 			if (ret < 0)
 				break;
+			san.data = NULL; /* it is now in cdp */
 
 			j++;
 		} while (ret >= 0);
@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
 
 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
 		gnutls_assert();
+		gnutls_free(san.data);
 		goto cleanup;
 	}
 
-- 
1.9.1