[GNUnet-SVN] [gnurl] 154/208: nss: fix a possible use-after-free in SelectClientCert()

[gnunet]

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to annotated tag gnurl-7.55.0
in repository gnurl.

commit 42a4cd4c78b3feb5ca07286479129116e125a730
Author: Kamil Dudka <address@hidden>
AuthorDate: Wed Jul 19 18:02:26 2017 +0200

    nss: fix a possible use-after-free in SelectClientCert()
    
    ... causing a SIGSEGV in showit() in case the handle used to initiate
    the connection has already been freed.
    
    This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
    
    Reported-by: Rob Sanders
    Bug: https://bugzilla.redhat.com/1436158
---
 lib/vtls/nss.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index ac3730fdb..d1711d6a1 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -2184,6 +2184,10 @@ static ssize_t nss_send(struct connectdata *conn,  /* 
connection data */
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   ssize_t rc;
 
+  /* The SelectClientCert() hook uses this for infof() and failf() but the
+     handle stored in nss_setup_connect() could have already been freed. */
+  connssl->data = conn->data;
+
   rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);
   if(rc < 0) {
     PRInt32 err = PR_GetError();
@@ -2217,6 +2221,10 @@ static ssize_t nss_recv(struct connectdata *conn,  /* 
connection data */
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   ssize_t nread;
 
+  /* The SelectClientCert() hook uses this for infof() and failf() but the
+     handle stored in nss_setup_connect() could have already been freed. */
+  connssl->data = conn->data;
+
   nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,
                   PR_INTERVAL_NO_WAIT);
   if(nread < 0) {

-- 
To stop receiving notification emails like this one, please contact
address@hidden