Since r1.41 the extensions are included in the CSR. Thus ca_request()

already sets the extension values and returns.  ca_sign() re-uses the
information to write out the extension file.  Since ca_request() uses
strings stored on the stack, on return the pointers to those strings
will be unusable.  To fix this, strdup() the strings passed ca_setenv()
so we can re-use them in another scope.  And free() them when we clear
the environment in ca_clrenv().

Initial report and diff from Andrei-Marius Radu.

ok markus@

1 files changed, 10 insertions, 4 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 3dacac9e83e..5f698e53df7 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikeca.c,v 1.46 2017/06/08 11:45:44 jsg Exp $	*/
+/*	$OpenBSD: ikeca.c,v 1.47 2017/11/08 09:33:37 patrick Exp $	*/
 
 /*
  * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -85,7 +85,7 @@ struct {
 };
 
 /* explicitly list allowed variables */
-const char *ca_env[][2] = {
+char *ca_env[][2] = {
 	{ "$ENV::CADB", NULL },
 	{ "$ENV::CASERIAL", NULL },
 	{ "$ENV::CERTFQDN", NULL },
@@ -899,20 +899,26 @@ void
 ca_clrenv(void)
 {
 	int	 i;
-	for (i = 0; ca_env[i][0] != NULL; i++)
+	for (i = 0; ca_env[i][0] != NULL; i++) {
+		free(ca_env[i][1]);
 		ca_env[i][1] = NULL;
+	}
 }
 
 void
 ca_setenv(const char *key, const char *value)
 {
 	int	 i;
+	char	*p = NULL;
 
 	for (i = 0; ca_env[i][0] != NULL; i++) {
 		if (strcmp(ca_env[i][0], key) == 0) {
 			if (ca_env[i][1] != NULL)
 				errx(1, "env %s already set: %s", key, value);
-			ca_env[i][1] = value;
+			p = strdup(value);
+			if (p == NULL)
+				err(1, NULL);
+			ca_env[i][1] = p;
 			return;
 		}
 	}