File gnutls-CVE-2021-20231.patch of Package gnutls.18748
From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 29 Jan 2021 14:06:32 +0100
Subject: [PATCH] key_share: avoid use-after-free around realloc
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/ext/key_share.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index ab8abf8fe6..a8c4bb5cff 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session,
{
unsigned i;
int ret;
- unsigned char *lengthp;
- unsigned int cur_length;
unsigned int generated = 0;
const gnutls_group_entry_st *group;
const version_entry_st *ver;
/* this extension is only being sent on client side */
if (session->security_parameters.entity == GNUTLS_CLIENT) {
+ unsigned int length_pos;
+
ver = _gnutls_version_max(session);
if (unlikely(ver == NULL || ver->key_shares == 0))
return 0;
@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session,
if (!have_creds_for_tls13(session))
return 0;
- /* write the total length later */
- lengthp = &extdata->data[extdata->length];
+ length_pos = extdata->length;
ret =
_gnutls_buffer_append_prefix(extdata, 16, 0);
if (ret < 0)
return gnutls_assert_val(ret);
- cur_length = extdata->length;
-
if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
group = get_group(session);
if (unlikely(group == NULL))
@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session,
}
/* copy actual length */
- _gnutls_write_uint16(extdata->length - cur_length, lengthp);
+ _gnutls_write_uint16(extdata->length - length_pos - 2,
+ &extdata->data[length_pos]);
} else { /* server */
ver = get_version(session);
--
GitLab