File gnutls-CVE-2017-7507.patch of Package gnutls

Overview Repositories Revisions Requests Users Attributes Meta

File gnutls-CVE-2017-7507.patch of Package gnutls

commit 20abda405acdf359711ebbaaceea0b4af328f2e3
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed May 24 10:46:03 2017 +0200

ext/status_request: ensure response IDs are properly deinitialized
    
    That is, do not attempt to loop through the array if there is no array
    allocated.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

commit 6ce67c9eaa29634e6be02ed6b76ac712c3d212c7
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed May 24 11:38:16 2017 +0200

ext/status_request: Removed the parsing of responder IDs from client extension
    
    These values were never used by gnutls, nor were accessible to applications,
    and as such there is not reason to parse them.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index 4c1f69a..386bb54 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -64,18 +64,6 @@ typedef struct {
       opaque Extensions<0..2^16-1>;
 */
 
-static void deinit_responder_id(status_request_ext_st *priv)
-{
-unsigned i;
-
-	for (i = 0; i < priv->responder_id_size; i++)
-		gnutls_free(priv->responder_id[i].data);
-
-	gnutls_free(priv->responder_id);
-	priv->responder_id = NULL;
-	priv->responder_id_size = 0;
-}
-
 
 static int
 client_send(gnutls_session_t session,
@@ -130,8 +118,8 @@ server_recv(gnutls_session_t session,
 	    status_request_ext_st * priv,
 	    const uint8_t * data, size_t size)
 {
-	size_t i;
 	ssize_t data_size = size;
+	unsigned rid_bytes = 0;
 
 	/* minimum message is type (1) + responder_id_list (2) +
 	   request_extension (2) = 5 */
@@ -150,43 +138,17 @@ server_recv(gnutls_session_t session,
 	DECR_LEN(data_size, 1);
 	data++;
 
-	priv->responder_id_size = _gnutls_read_uint16(data);
+	rid_bytes = _gnutls_read_uint16(data);
 
 	DECR_LEN(data_size, 2);
-	data += 2;
+	/*data += 2;*/
 
-	if (data_size <= (ssize_t) (priv->responder_id_size * 2))
+	/* sanity check only, we don't use any of the data below */
+
+	if (data_size < (ssize_t)rid_bytes)
 		return
 		    gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
-	if (priv->responder_id != NULL)
-		deinit_responder_id(priv);
-
-	priv->responder_id = gnutls_calloc(1, priv->responder_id_size
-					   * sizeof(*priv->responder_id));
-	if (priv->responder_id == NULL)
-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
-	for (i = 0; i < priv->responder_id_size; i++) {
-		size_t l;
-
-		DECR_LEN(data_size, 2);
-
-		l = _gnutls_read_uint16(data);
-		data += 2;
-
-		DECR_LEN(data_size, l);
-
-		priv->responder_id[i].data = gnutls_malloc(l);
-		if (priv->responder_id[i].data == NULL)
-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
-		memcpy(priv->responder_id[i].data, data, l);
-		priv->responder_id[i].size = l;
-
-		data += l;
-	}
-
 	return 0;
 }
 
@@ -470,11 +432,18 @@ gnutls_certificate_set_ocsp_status_request_file
 static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv)
 {
 	status_request_ext_st *priv = epriv.ptr;
+	unsigned i;
 
 	if (priv == NULL)
 		return;
 
-	deinit_responder_id(priv);
+	if (priv->responder_id != NULL) {
+		for (i = 0; i < priv->responder_id_size; i++)
+			gnutls_free(priv->responder_id[i].data);
+
+		gnutls_free(priv->responder_id);
+	}
+
 	gnutls_free(priv->request_extensions.data);
 	gnutls_free(priv->response.data);
 	gnutls_free(priv);

Places

File gnutls-CVE-2017-7507.patch of Package gnutls

Places