mirror/gmni
1
0
Fork 0
mirror of https://git.sr.ht/~sircmpwn/gmni synced 2024-11-23 04:51:59 +01:00
Code

gmnlm: host freed too early, causing UAF

Browse Source 
The host variable is freed too early. If a client certificate is not
found, the later error message in the
GEMINI_STATUS_CLASS_CLIENT_CERTIFICATE_REQUIRED case uses the freed host
variable to produce an incorrect openssl command. This fix just delays
the free to after the switch statement.

Test case:
gmnlm gemini://feeds.drewdevault.com

Prior:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
 -keyout /home/andrew/.local/share/gmni/certs/€Ú-=öU.key \
 -out /home/andrew/.local/share/gmni/certs/€Ú-=öU.crt \
 -days 36500 -nodes

Now:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.key \
-out /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.crt \
-days 36500 -nodes
This commit is contained in:
Andrew 2021-06-10 07:36:37 -04:00 committed by Drew DeVault
parent e0993d4886
commit b46b312817
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/gmnlm.c
View File

@ -415,7 +415,6 @@ do_requests(struct browser *browser, struct gemini_response *resp)
} else { } else {
browser->opts.client_cert = NULL; browser->opts.client_cert = NULL;
} }
free(host);
} }
while (requesting) { while (requesting) {
@ -540,6 +539,7 @@ out:
free(client_cert.key); free(client_cert.key);
} }
free(scheme); free(scheme);
free(host);
return res; return res;
} }