~sircmpwn/gmni-devel

gmnlm: host freed too early, causing UAF v1 APPLIED

Andrew: 1
 gmnlm: host freed too early, causing UAF

 1 files changed, 1 insertions(+), 1 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~sircmpwn/gmni-devel/patches/23256/mbox | git am -3
Learn more about email & git
View this thread in the archives

[PATCH] gmnlm: host freed too early, causing UAF Export this patch

The host variable is freed too early. If a client certificate is not
found, the later error message in the
GEMINI_STATUS_CLASS_CLIENT_CERTIFICATE_REQUIRED case uses the freed host
variable to produce an incorrect openssl command. This fix just delays
the free to after the switch statement.

Test case:
gmnlm gemini://feeds.drewdevault.com

Prior:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
 -keyout /home/andrew/.local/share/gmni/certs/€Ú-=öU.key \
 -out /home/andrew/.local/share/gmni/certs/€Ú-=öU.crt \
 -days 36500 -nodes

Now:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.key \
-out /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.crt \
-days 36500 -nodes
---
 src/gmnlm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gmnlm.c b/src/gmnlm.c
index 57c79cf..b1c08b2 100644
--- a/src/gmnlm.c
+++ b/src/gmnlm.c
@@ -415,7 +415,6 @@ do_requests(struct browser *browser, struct gemini_response *resp)
		} else {
			browser->opts.client_cert = NULL;
		}
		free(host);
	}

	while (requesting) {
@@ -540,6 +539,7 @@ out:
		free(client_cert.key);
	}
	free(scheme);
	free(host);
	return res;
}

-- 
2.25.1
Thanks!

To git@git.sr.ht:~sircmpwn/gmni
   b46b312..e0993d4  master -> master