cgmnlm

Unnamed repository; edit this file 'description' to name the repository.
git clone git://code.clttr.info/cgmnlm.git
Log | Files | Refs | README | LICENSE

commit 7e4e43b05c298aa812027bf1921ce3f224e86bda
parent 4274b06fe4b2702af297cd0cee3d7871741899ec
Author: Andrew <git@andrewzigerelli.com>
Date:   Thu, 10 Jun 2021 07:36:37 -0400

gmnlm: host freed too early, causing UAF

The host variable is freed too early. If a client certificate is not
found, the later error message in the
GEMINI_STATUS_CLASS_CLIENT_CERTIFICATE_REQUIRED case uses the freed host
variable to produce an incorrect openssl command. This fix just delays
the free to after the switch statement.

Test case:
gmnlm gemini://feeds.drewdevault.com

Prior:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
 -keyout /home/andrew/.local/share/gmni/certs/€Ú-=öU.key \
 -out /home/andrew/.local/share/gmni/certs/€Ú-=öU.crt \
 -days 36500 -nodes

Now:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.key \
-out /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.crt \
-days 36500 -nodes

Diffstat:
Msrc/gmnlm.c | 2+-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gmnlm.c b/src/gmnlm.c @@ -475,7 +475,6 @@ do_requests(struct browser *browser, struct gemini_response *resp) } else { browser->opts.client_cert = NULL; } - free(host); } while (requesting) { @@ -600,6 +599,7 @@ out: free(client_cert.key); } free(scheme); + free(host); return res; }