moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00
Code Issues Releases Wiki Activity

nss: fix a possible use-after-free in SelectClientCert()

Browse Source 
... causing a SIGSEGV in showit() in case the handle used to initiate
the connection has already been freed.

This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.

Reported-by: Rob Sanders
Bug: https://bugzilla.redhat.com/1436158
This commit is contained in:
Kamil Dudka 2017-07-19 18:02:26 +02:00
parent c89eb6d0f8
commit 42a4cd4c78
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/vtls/nss.c
View File

@ -2184,6 +2184,10 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex];
ssize_t rc; ssize_t rc;
/* The SelectClientCert() hook uses this for infof() and failf() but the
handle stored in nss_setup_connect() could have already been freed. */
connssl->data = conn->data;
rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT); rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);
if(rc < 0) { if(rc < 0) {
PRInt32 err = PR_GetError(); PRInt32 err = PR_GetError();
@ -2217,6 +2221,10 @@ static ssize_t nss_recv(struct connectdata *conn, /* connection data */
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex];
ssize_t nread; ssize_t nread;
/* The SelectClientCert() hook uses this for infof() and failf() but the
handle stored in nss_setup_connect() could have already been freed. */
connssl->data = conn->data;
nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0, nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,
PR_INTERVAL_NO_WAIT); PR_INTERVAL_NO_WAIT);
if(nread < 0) { if(nread < 0) {