|
 |
8dd812 |
From 1f6bbceeeeb613cf4d790874bdd1e917a7071159 Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Mon, 8 Jul 2019 16:54:56 +0200
|
|
|
8dd812 |
Subject: [PATCH] ext/session_ticket: avoid calling memcpy on overlapping
|
|
|
8dd812 |
memory areas
|
|
|
8dd812 |
|
|
|
8dd812 |
In _gnutls_encrypt_session_ticket, ticket.encrypted_state is allocated
|
|
|
8dd812 |
from ticket_data->data, thus those memory areas may overlap. Using
|
|
|
8dd812 |
memcpy here leads to undefined behavior.
|
|
|
8dd812 |
|
|
|
8dd812 |
Spotted by valgrind run on ppc64le.
|
|
|
8dd812 |
|
|
|
8dd812 |
==95231== Source and destination overlap in memcpy(0x47ce3a2, 0x47ce3a2, 160)
|
|
|
8dd812 |
==95231== at 0x408A840: memcpy (vg_replace_strmem.c:1023)
|
|
|
8dd812 |
==95231== by 0x424EE9F: pack_ticket (session_ticket.c:139)
|
|
|
8dd812 |
==95231== by 0x424FA4F: _gnutls_encrypt_session_ticket (session_ticket.c:335)
|
|
|
8dd812 |
==95231== by 0x4199E3B: generate_session_ticket (session_ticket.c:249)
|
|
|
8dd812 |
==95231== by 0x419A333: _gnutls13_send_session_ticket (session_ticket.c:307)
|
|
|
8dd812 |
==95231== by 0x40F8817: _gnutls13_handshake_server (handshake-tls13.c:511)
|
|
|
8dd812 |
==95231== by 0x4110DEB: handshake_server (handshake.c:3331)
|
|
|
8dd812 |
==95231== by 0x410C70B: gnutls_handshake (handshake.c:2727)
|
|
|
8dd812 |
==95231== by 0x10009EBF: retry_handshake (serv.c:1306)
|
|
|
8dd812 |
==95231== by 0x1000AB67: tcp_server (serv.c:1500)
|
|
|
8dd812 |
==95231== by 0x10009E5B: main (serv.c:1297)
|
|
|
8dd812 |
==95231==
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/ext/session_ticket.c | 6 +++++-
|
|
|
8dd812 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
|
|
|
8dd812 |
index 09e240c2d..98db39ff8 100644
|
|
|
8dd812 |
--- a/lib/ext/session_ticket.c
|
|
|
8dd812 |
+++ b/lib/ext/session_ticket.c
|
|
|
8dd812 |
@@ -136,7 +136,11 @@ pack_ticket(const struct ticket_st *ticket, gnutls_datum_t *ticket_data)
|
|
|
8dd812 |
_gnutls_write_uint16(ticket->encrypted_state_len, p);
|
|
|
8dd812 |
p += 2;
|
|
|
8dd812 |
|
|
|
8dd812 |
- memcpy(p, ticket->encrypted_state, ticket->encrypted_state_len);
|
|
|
8dd812 |
+ /* We use memmove instead of memcpy here because
|
|
|
8dd812 |
+ * ticket->encrypted_state is allocated from
|
|
|
8dd812 |
+ * ticket_data->data, and thus both memory areas may overlap.
|
|
|
8dd812 |
+ */
|
|
|
8dd812 |
+ memmove(p, ticket->encrypted_state, ticket->encrypted_state_len);
|
|
|
8dd812 |
p += ticket->encrypted_state_len;
|
|
|
8dd812 |
|
|
|
8dd812 |
memcpy(p, ticket->mac, TICKET_MAC_SIZE);
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|