commit 7e4e43b05c298aa812027bf1921ce3f224e86bda
parent 4274b06fe4b2702af297cd0cee3d7871741899ec
Author: Andrew <git@andrewzigerelli.com>
Date: Thu, 10 Jun 2021 07:36:37 -0400
gmnlm: host freed too early, causing UAF
The host variable is freed too early. If a client certificate is not
found, the later error message in the
GEMINI_STATUS_CLASS_CLIENT_CERTIFICATE_REQUIRED case uses the freed host
variable to produce an incorrect openssl command. This fix just delays
the free to after the switch statement.
Test case:
gmnlm gemini://feeds.drewdevault.com
Prior:
The following OpenSSL command will generate a certificate for this host:
openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/Ú-=öU.key \
-out /home/andrew/.local/share/gmni/certs/Ú-=öU.crt \
-days 36500 -nodes
Now:
The following OpenSSL command will generate a certificate for this host:
openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.key \
-out /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.crt \
-days 36500 -nodes
Diffstat:
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/gmnlm.c b/src/gmnlm.c
@@ -475,7 +475,6 @@ do_requests(struct browser *browser, struct gemini_response *resp)
} else {
browser->opts.client_cert = NULL;
}
- free(host);
}
while (requesting) {
@@ -600,6 +599,7 @@ out:
free(client_cert.key);
}
free(scheme);
+ free(host);
return res;
}
