Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 91196
Status: resolved
Worked: 10 min
Priority: 0/
Queue: Net-SSLeay

People
Owner: MIKEM [...] cpan.org
Requestors: lkundrak [...] v3.sk
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



From lkundrak [...] v3.sk Thu Dec 5 09: 07:42 2013
CC: Lubomir Rintel <lkundrak [...] v3.sk>
X-Spam-Status: No, score=-6.899 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_FAIL=0.001] autolearn=ham
X-Mailer: git-send-email 1.7.1
X-Spam-Flag: NO
Message-ID: <1386252446-26122-1-git-send-email-lkundrak [...] v3.sk>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Virus-Scanned: amavisd-new at zimbra.v3.sk
X-Spam-Score: -6.899
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id EE25F24027C for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Thu, 5 Dec 2013 09:07:41 -0500 (EST)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id an+vDl1Hk+3p for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Thu, 5 Dec 2013 09:07:37 -0500 (EST)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 07CDC2402DB for <bug-Net-SSLeay [...] rt.cpan.org>; Thu, 5 Dec 2013 09:07:36 -0500 (EST)
Received: (qmail 17232 invoked by alias); 5 Dec 2013 14:07:36 -0000
Received: from shell.v3.sk (HELO shell.v3.sk) (195.168.3.45) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Thu, 05 Dec 2013 06:07:34 -0800
Received: from localhost (localhost [127.0.0.1]) by zimbra.v3.sk (Postfix) with ESMTP id 677D9C0320 for <bug-Net-SSLeay [...] rt.cpan.org>; Thu, 5 Dec 2013 15:07:30 +0100 (CET)
Received: from shell.v3.sk ([127.0.0.1]) by localhost (zimbra.v3.sk [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id PsqeQc2ERyBy; Thu, 5 Dec 2013 15:07:28 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by zimbra.v3.sk (Postfix) with ESMTP id 1334BC1545; Thu, 5 Dec 2013 15:07:28 +0100 (CET)
Received: from shell.v3.sk ([127.0.0.1]) by localhost (zimbra.v3.sk [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id x0z8C-Fvz-Xy; Thu, 5 Dec 2013 15:07:27 +0100 (CET)
Received: from localhost.localdomain (gw-brno.gooddata.com [194.213.40.134]) by zimbra.v3.sk (Postfix) with ESMTPSA id A6198C0320; Thu, 5 Dec 2013 15:07:27 +0100 (CET)
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: [PATCH] Fix a use-after-free error
Return-Path: <lkundrak [...] v3.sk>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Spam-Check-BY: la.mx.develooper.com
Date: Thu, 5 Dec 2013 15:07:26 +0100
X-Spam-Level:
To: bug-Net-SSLeay [...] rt.cpan.org
From: Lubomir Rintel <lkundrak [...] v3.sk>
X-RT-Original-Encoding: ascii
content-type: text/plain; charset="utf-8"
X-RT-Interface: Email
Content-Length: 2530
Download (untitled) / with headers
text/plain 2.4k
Avoid using next_proto_data after it has been deallocated. --- Changes | 1 + SSLeay.xs | 21 ++++++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/Changes b/Changes index ab7c950..483628e 100644 --- a/Changes +++ b/Changes @@ -8,6 +8,7 @@ Revision history for Perl extension Net::SSLeay. Adjusted license: in META.yml to be 'openssl' Adds support for the basic operations necessary to support ECDH for PFS, e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh. + Fix an use-after-free error. Patch from Lubomir Rintel. 1.55 2013-06-08 Added support for TLSV1_1 and TLSV1_2 methods with SSL_CTX_tlsv1_1_new(), diff --git a/SSLeay.xs b/SSLeay.xs index 16c7604..9fb8e99 100644 --- a/SSLeay.xs +++ b/SSLeay.xs @@ -844,19 +844,22 @@ int next_proto_select_cb_invoke(SSL *ssl, unsigned char **out, unsigned char *ou croak ("Net::SSLeay: next_proto_select_cb_invoke perl function did not return 2 values.\n"); next_proto_data = (unsigned char*)POPpx; next_proto_status = POPi; + + next_proto_len = strlen((const char*)next_proto_data); + if (next_proto_len<=255) { + /* store last_status + last_negotiated into global hash */ + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status", newSViv(next_proto_status)); + tmpsv = newSVpv((const char*)next_proto_data, next_proto_len); + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated", tmpsv); + *out = (unsigned char *)SvPVX(tmpsv); + *outlen = next_proto_len; + } + PUTBACK; FREETMPS; LEAVE; - if (strlen((const char*)next_proto_data)>255) return SSL_TLSEXT_ERR_ALERT_FATAL; - next_proto_len = strlen((const char*)next_proto_data); - /* store last_status + last_negotiated into global hash */ - cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status", newSViv(next_proto_status)); - tmpsv = newSVpv((const char*)next_proto_data, next_proto_len); - cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated", tmpsv); - *out = (unsigned char *)SvPVX(tmpsv); - *outlen = next_proto_len; - return SSL_TLSEXT_ERR_OK; + return next_proto_len>255 ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK; } else if (SvROK(cb_data) && (SvTYPE(SvRV(cb_data)) == SVt_PVAV)) { next_proto_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data), NULL); -- 1.7.1
MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-Source-Sender: (zulu.open.com.au) [58.96.35.135]:57770
X-RT-Original-Encoding: utf-8
X-Spam-Score: -6.121
X-Source-Cap: bWlrZW07bWlrZW07Z2F0b3I0MTI5Lmhvc3RnYXRvci5jb20=
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id B36A62409E0 for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Thu, 5 Dec 2013 20:28:28 -0500 (EST)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xzqya-RkuXUK for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Thu, 5 Dec 2013 20:28:27 -0500 (EST)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 41D052400F3 for <bug-Net-SSLeay [...] rt.cpan.org>; Thu, 5 Dec 2013 20:28:27 -0500 (EST)
Received: (qmail 5313 invoked by alias); 6 Dec 2013 01:28:26 -0000
Received: from gateway16.websitewelcome.com (HELO gateway16.websitewelcome.com) (69.93.35.23) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Thu, 05 Dec 2013 17:28:25 -0800
Received: by gateway16.websitewelcome.com (Postfix, from userid 5007) id 3CB2ADA6851D4; Thu, 5 Dec 2013 19:27:48 -0600 (CST)
Received: from gator4129.hostgator.com (gator4129.hostgator.com [192.185.4.141]) by gateway16.websitewelcome.com (Postfix) with ESMTP id 26BC8DA6851B0 for <bug-Net-SSLeay [...] rt.cpan.org>; Thu, 5 Dec 2013 19:27:48 -0600 (CST)
Received: from [58.96.35.135] (port=57770 helo=zulu.open.com.au) by gator4129.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <mikem [...] airspayce.com>) id 1VokDM-0000Au-9V for bug-Net-SSLeay [...] rt.cpan.org; Thu, 05 Dec 2013 19:28:20 -0600
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #91196] [PATCH] Fix a use-after-free error
X-Spam-Check-BY: la.mx.develooper.com
Date: Fri, 06 Dec 2013 11:28:17 +1000
X-Spam-Level:
X-Bwhitelist: no
To: bug-Net-SSLeay [...] rt.cpan.org
Content-Transfer-Encoding: 7Bit
X-Source:
From mikem [...] airspayce.com Thu Dec 5 20: 28:28 2013
X-Source-Args:
In-Reply-To: <rt-4.0.18-15722-1386252462-57.91196-4-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-6.121 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_NEUTRAL=0.779] autolearn=ham
X-Source-Dir:
X-RT-Interface: API
References: <RT-Ticket-91196 [...] rt.cpan.org> <1386252446-26122-1-git-send-email-lkundrak [...] v3.sk> <rt-4.0.18-15722-1386252462-57.91196-4-0 [...] rt.cpan.org>
Message-ID: <6163050.WykKuLuQBM [...] zulu.open.com.au>
X-Source-Auth: mikem [...] airspayce.com
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - gator4129.hostgator.com
X-Antiabuse: Original Domain - rt.cpan.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - airspayce.com
Organization: AirSpayce Pty Ltd
X-Source-Ip: 58.96.35.135
User-Agent: KMail/4.10.5 (Linux/3.7.10-1.16-desktop; KDE/4.10.5; i686; ; )
Return-Path: <mikem [...] airspayce.com>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Email-Count: 2
From: Mike McCauley <mikem [...] airspayce.com>
RT-Message-ID: <rt-4.0.18-16967-1386293309-1732.91196-0-0 [...] rt.cpan.org>
Content-Length: 3327
Download (untitled) / with headers
text/plain 3.2k
Hi, Thanks. This patch now in SVN 387 Cheers. On Thursday, December 05, 2013 09:07:42 AM you wrote: Show quoted text
> Thu Dec 05 09:07:42 2013: Request 91196 was acted upon. > Transaction: Ticket created by lkundrak@v3.sk > Queue: Net-SSLeay > Subject: [PATCH] Fix a use-after-free error > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: lkundrak@v3.sk > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=91196 > > > > Avoid using next_proto_data after it has been deallocated. > --- > Changes | 1 + > SSLeay.xs | 21 ++++++++++++--------- > 2 files changed, 13 insertions(+), 9 deletions(-) > > diff --git a/Changes b/Changes > index ab7c950..483628e 100644 > --- a/Changes > +++ b/Changes > @@ -8,6 +8,7 @@ Revision history for Perl extension Net::SSLeay. > Adjusted license: in META.yml to be 'openssl' > Adds support for the basic operations necessary to support ECDH for > PFS, e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh. + > Fix an use-after-free error. Patch from Lubomir Rintel. > > 1.55 2013-06-08 > Added support for TLSV1_1 and TLSV1_2 methods with > SSL_CTX_tlsv1_1_new(), diff --git a/SSLeay.xs b/SSLeay.xs > index 16c7604..9fb8e99 100644 > --- a/SSLeay.xs > +++ b/SSLeay.xs > @@ -844,19 +844,22 @@ int next_proto_select_cb_invoke(SSL *ssl, unsigned > char **out, unsigned char *ou croak ("Net::SSLeay: > next_proto_select_cb_invoke perl function did not return 2 values.\n"); > next_proto_data = (unsigned char*)POPpx; > next_proto_status = POPi; > + > + next_proto_len = strlen((const char*)next_proto_data); > + if (next_proto_len<=255) { > + /* store last_status + last_negotiated into global hash */ > + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status", > newSViv(next_proto_status)); + tmpsv = newSVpv((const > char*)next_proto_data, next_proto_len); + > cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated", tmpsv); > + *out = (unsigned char *)SvPVX(tmpsv); > + *outlen = next_proto_len; > + } > + > PUTBACK; > FREETMPS; > LEAVE; > > - if (strlen((const char*)next_proto_data)>255) return > SSL_TLSEXT_ERR_ALERT_FATAL; - next_proto_len = strlen((const > char*)next_proto_data); > - /* store last_status + last_negotiated into global hash */ > - cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status", > newSViv(next_proto_status)); - tmpsv = newSVpv((const > char*)next_proto_data, next_proto_len); - cb_data_advanced_put(ssl, > "next_proto_select_cb!!last_negotiated", tmpsv); - *out = (unsigned > char *)SvPVX(tmpsv); > - *outlen = next_proto_len; > - return SSL_TLSEXT_ERR_OK; > + return next_proto_len>255 ? SSL_TLSEXT_ERR_ALERT_FATAL : > SSL_TLSEXT_ERR_OK; } > else if (SvROK(cb_data) && (SvTYPE(SvRV(cb_data)) == SVt_PVAV)) { > next_proto_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data), > NULL);
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070
MIME-Version: 1.0
In-Reply-To: <1386252446-26122-1-git-send-email-lkundrak [...] v3.sk>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <1386252446-26122-1-git-send-email-lkundrak [...] v3.sk>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-12256-1386293381-1549.91196-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 6
Thanks


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.