[Swan-dev] [Security] double free in load_cert_from_nss

Paul Wouters paul at nohats.ca
Fri Apr 4 23:34:58 EEST 2014

On Fri, 4 Apr 2014, Matt Rogers wrote:

> The free_x509cert(x509cert) function already frees the blob.ptr in that
> situation. So moving that up to the is_asn1(blob) case is the local fix.

Or just return FALSE, eg:

                 if (!parse_x509cert(blob, 0, x509cert)) {
                         libreswan_log(" error in X.509 certificate %s",
+			return FALSE;
                 } else {

> We still need to determine if this can be a remote crash if a peer sends
> an unsupported cert (like strongswan) so I am setting up the tests for
> that.

Hugh pointed out it was actualy him that re-arranged the code that
exposes this. I double checked and 3.8 does NOT have this issue, so it
is only in git, so no CVE, so we can just patch this publicly in the git
right now.


More information about the Swan-dev mailing list