Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
gnutls
gnutls-CVE-2017-7507.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnutls-CVE-2017-7507.patch of Package gnutls
commit 20abda405acdf359711ebbaaceea0b4af328f2e3 Author: Nikos Mavrogiannopoulos <nmav@redhat.com> Date: Wed May 24 10:46:03 2017 +0200 ext/status_request: ensure response IDs are properly deinitialized That is, do not attempt to loop through the array if there is no array allocated. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> commit 6ce67c9eaa29634e6be02ed6b76ac712c3d212c7 Author: Nikos Mavrogiannopoulos <nmav@redhat.com> Date: Wed May 24 11:38:16 2017 +0200 ext/status_request: Removed the parsing of responder IDs from client extension These values were never used by gnutls, nor were accessible to applications, and as such there is not reason to parse them. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c index 4c1f69a..386bb54 100644 --- a/lib/ext/status_request.c +++ b/lib/ext/status_request.c @@ -64,18 +64,6 @@ typedef struct { opaque Extensions<0..2^16-1>; */ -static void deinit_responder_id(status_request_ext_st *priv) -{ -unsigned i; - - for (i = 0; i < priv->responder_id_size; i++) - gnutls_free(priv->responder_id[i].data); - - gnutls_free(priv->responder_id); - priv->responder_id = NULL; - priv->responder_id_size = 0; -} - static int client_send(gnutls_session_t session, @@ -130,8 +118,8 @@ server_recv(gnutls_session_t session, status_request_ext_st * priv, const uint8_t * data, size_t size) { - size_t i; ssize_t data_size = size; + unsigned rid_bytes = 0; /* minimum message is type (1) + responder_id_list (2) + request_extension (2) = 5 */ @@ -150,43 +138,17 @@ server_recv(gnutls_session_t session, DECR_LEN(data_size, 1); data++; - priv->responder_id_size = _gnutls_read_uint16(data); + rid_bytes = _gnutls_read_uint16(data); DECR_LEN(data_size, 2); - data += 2; + /*data += 2;*/ - if (data_size <= (ssize_t) (priv->responder_id_size * 2)) + /* sanity check only, we don't use any of the data below */ + + if (data_size < (ssize_t)rid_bytes) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - if (priv->responder_id != NULL) - deinit_responder_id(priv); - - priv->responder_id = gnutls_calloc(1, priv->responder_id_size - * sizeof(*priv->responder_id)); - if (priv->responder_id == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - for (i = 0; i < priv->responder_id_size; i++) { - size_t l; - - DECR_LEN(data_size, 2); - - l = _gnutls_read_uint16(data); - data += 2; - - DECR_LEN(data_size, l); - - priv->responder_id[i].data = gnutls_malloc(l); - if (priv->responder_id[i].data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - memcpy(priv->responder_id[i].data, data, l); - priv->responder_id[i].size = l; - - data += l; - } - return 0; } @@ -470,11 +432,18 @@ gnutls_certificate_set_ocsp_status_request_file static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv) { status_request_ext_st *priv = epriv.ptr; + unsigned i; if (priv == NULL) return; - deinit_responder_id(priv); + if (priv->responder_id != NULL) { + for (i = 0; i < priv->responder_id_size; i++) + gnutls_free(priv->responder_id[i].data); + + gnutls_free(priv->responder_id); + } + gnutls_free(priv->request_extensions.data); gnutls_free(priv->response.data); gnutls_free(priv);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor