File gnutls-CVE-2017-7507.patch of Package gnutls.5070

commit 20abda405acdf359711ebbaaceea0b4af328f2e3
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed May 24 10:46:03 2017 +0200

    ext/status_request: ensure response IDs are properly deinitialized
    
    That is, do not attempt to loop through the array if there is no array
    allocated.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

commit 6ce67c9eaa29634e6be02ed6b76ac712c3d212c7
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed May 24 11:38:16 2017 +0200

    ext/status_request: Removed the parsing of responder IDs from client extension
    
    These values were never used by gnutls, nor were accessible to applications,
    and as such there is not reason to parse them.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index 4c1f69a..386bb54 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -64,18 +64,6 @@ typedef struct {
       opaque Extensions<0..2^16-1>;
 */
 
-static void deinit_responder_id(status_request_ext_st *priv)
-{
-unsigned i;
-
-	for (i = 0; i < priv->responder_id_size; i++)
-		gnutls_free(priv->responder_id[i].data);
-
-	gnutls_free(priv->responder_id);
-	priv->responder_id = NULL;
-	priv->responder_id_size = 0;
-}
-
 
 static int
 client_send(gnutls_session_t session,
@@ -130,8 +118,8 @@ server_recv(gnutls_session_t session,
 	    status_request_ext_st * priv,
 	    const uint8_t * data, size_t size)
 {
-	size_t i;
 	ssize_t data_size = size;
+	unsigned rid_bytes = 0;
 
 	/* minimum message is type (1) + responder_id_list (2) +
 	   request_extension (2) = 5 */
@@ -150,43 +138,17 @@ server_recv(gnutls_session_t session,
 	DECR_LEN(data_size, 1);
 	data++;
 
-	priv->responder_id_size = _gnutls_read_uint16(data);
+	rid_bytes = _gnutls_read_uint16(data);
 
 	DECR_LEN(data_size, 2);
-	data += 2;
+	/*data += 2;*/
 
-	if (data_size <= (ssize_t) (priv->responder_id_size * 2))
+	/* sanity check only, we don't use any of the data below */
+
+	if (data_size < (ssize_t)rid_bytes)
 		return
 		    gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
-	if (priv->responder_id != NULL)
-		deinit_responder_id(priv);
-
-	priv->responder_id = gnutls_calloc(1, priv->responder_id_size
-					   * sizeof(*priv->responder_id));
-	if (priv->responder_id == NULL)
-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
-	for (i = 0; i < priv->responder_id_size; i++) {
-		size_t l;
-
-		DECR_LEN(data_size, 2);
-
-		l = _gnutls_read_uint16(data);
-		data += 2;
-
-		DECR_LEN(data_size, l);
-
-		priv->responder_id[i].data = gnutls_malloc(l);
-		if (priv->responder_id[i].data == NULL)
-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
-		memcpy(priv->responder_id[i].data, data, l);
-		priv->responder_id[i].size = l;
-
-		data += l;
-	}
-
 	return 0;
 }
 
@@ -470,11 +432,18 @@ gnutls_certificate_set_ocsp_status_request_file
 static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv)
 {
 	status_request_ext_st *priv = epriv.ptr;
+	unsigned i;
 
 	if (priv == NULL)
 		return;
 
-	deinit_responder_id(priv);
+	if (priv->responder_id != NULL) {
+		for (i = 0; i < priv->responder_id_size; i++)
+			gnutls_free(priv->responder_id[i].data);
+
+		gnutls_free(priv->responder_id);
+	}
+
 	gnutls_free(priv->request_extensions.data);
 	gnutls_free(priv->response.data);
 	gnutls_free(priv);
openSUSE Build Service is sponsored by