Blame SOURCES/0001-asn1-fix-use-after-free-in-asn1_write.patch
|
 |
4c3126 |
From 3aa83995d7c0ef632fe0af3d032e48691a5ce781 Mon Sep 17 00:00:00 2001
|
|
|
4c3126 |
From: Jeff Layton <jlayton@samba.org>
|
|
|
4c3126 |
Date: Sun, 13 Oct 2013 21:07:28 -0400
|
|
|
4c3126 |
Subject: [PATCH] asn1: fix use-after-free in asn1_write
|
|
|
4c3126 |
|
|
|
4c3126 |
If the talloc_realloc() fails, asn1_write calls talloc_free on the
|
|
|
4c3126 |
context and then immediately dereferences the pointer.
|
|
|
4c3126 |
|
|
|
4c3126 |
Fix this by skipping the talloc_free here. Let the caller handle it.
|
|
|
4c3126 |
|
|
|
4c3126 |
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
|
4c3126 |
---
|
|
|
4c3126 |
asn1.c | 1 -
|
|
|
4c3126 |
1 file changed, 1 deletion(-)
|
|
|
4c3126 |
|
|
|
4c3126 |
diff --git a/asn1.c b/asn1.c
|
|
|
4c3126 |
index ea50a23..4c0e480 100644
|
|
|
4c3126 |
--- a/asn1.c
|
|
|
4c3126 |
+++ b/asn1.c
|
|
|
4c3126 |
@@ -47,7 +47,6 @@ bool asn1_write(struct asn1_data *data, const void *p, int len)
|
|
|
4c3126 |
uint8_t *newp;
|
|
|
4c3126 |
newp = talloc_realloc(data, data->data, uint8_t, data->ofs+len);
|
|
|
4c3126 |
if (!newp) {
|
|
|
4c3126 |
- asn1_free(data);
|
|
|
4c3126 |
data->has_error = true;
|
|
|
4c3126 |
return false;
|
|
|
4c3126 |
}
|
|
|
4c3126 |
--
|
|
|
4c3126 |
1.8.3.1
|
|
|
4c3126 |
|