[Swan-dev] [Security] double free in load_cert_from_nss
Paul Wouters
paul at nohats.ca
Fri Apr 4 23:34:58 EEST 2014
On Fri, 4 Apr 2014, Matt Rogers wrote:
> The free_x509cert(x509cert) function already frees the blob.ptr in that
> situation. So moving that up to the is_asn1(blob) case is the local fix.
Or just return FALSE, eg:
if (!parse_x509cert(blob, 0, x509cert)) {
libreswan_log(" error in X.509 certificate %s",
filename);
free_x509cert(x509cert);
+ return FALSE;
} else {
> We still need to determine if this can be a remote crash if a peer sends
> an unsupported cert (like strongswan) so I am setting up the tests for
> that.
Hugh pointed out it was actualy him that re-arranged the code that
exposes this. I double checked and 3.8 does NOT have this issue, so it
is only in git, so no CVE, so we can just patch this publicly in the git
right now.
Paul
More information about the Swan-dev
mailing list