diff options
| author |   patrick <patrick@openbsd.org> | 2017-10-30 09:53:27 +0000 |
|---|---|---|
| committer | patrick <patrick@openbsd.org> | 2017-10-30 09:53:27 +0000 |
| commit | 2dd15af02774ee046930ee46dc60422a1f5dc806 (patch) | |
| tree | b3d260ed0c13173fda707068cd68d09bd544167f | |
| parent | fix oob read; form llvm via Vlad Tsyrklevich; ok millert@ (diff) | |
| download | wireguard-openbsd-2dd15af02774ee046930ee46dc60422a1f5dc806.tar.xz wireguard-openbsd-2dd15af02774ee046930ee46dc60422a1f5dc806.zip | |
In the subjectAltName comparison, the bzero before the while-loop was
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.
ok markus@
| -rw-r--r-- | sbin/iked/ca.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index a1ca8756d81..1911f339a09 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.45 2017/10/27 14:28:07 patrick Exp $ */ +/* $OpenBSD: ca.c,v 1.46 2017/10/30 09:53:27 patrick Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -1402,6 +1402,7 @@ ca_x509_subjectaltname_cmp(X509 *cert, struct iked_static_id *id) char idstr[IKED_ID_SIZE]; int ret = -1, lastpos = -1; + bzero(&sanid, sizeof(sanid)); while (ca_x509_subjectaltname(cert, &sanid, lastpos++) == 0) { ikev2_print_id(&sanid, idstr, sizeof(idstr)); @@ -1416,7 +1417,6 @@ ca_x509_subjectaltname_cmp(X509 *cert, struct iked_static_id *id) break; } log_debug("%s: %s mismatched", __func__, idstr); - bzero(&sanid, sizeof(sanid)); } ibuf_release(sanid.id_buf); |