From befdaa92d2c6ea36d6c3900b3882e7bf89934fb6 Mon Sep 17 00:00:00 2001 From: Bjørn Mork Date: Sat, 4 Mar 2017 21:06:10 +0100 Subject: ripe-atlas-fw: imported version 4760 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Bjørn Mork --- eperd/sslgetcert.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'eperd/sslgetcert.c') diff --git a/eperd/sslgetcert.c b/eperd/sslgetcert.c index 6660b40..cba0f42 100644 --- a/eperd/sslgetcert.c +++ b/eperd/sslgetcert.c @@ -410,6 +410,11 @@ static int msgbuf_read(struct state *state, struct msgbuf *msgbuf, int *typep, *majorp= p[1]; *minorp= p[2]; len= (p[3] << 8) + p[4]; + /* Note that buf_read may reallocate msgbuf->inbuf->buf, + * which invalidates p. For this reason, after buf_read + * either return to the caller, or use 'continue' to + * restart at the top of the loop. + */ if (msgbuf->inbuf->size - msgbuf->inbuf->offset < 5 + len) { r= buf_read(state, msgbuf->inbuf); @@ -1264,6 +1269,13 @@ static int eat_certificate(struct state *state) return -1; } len= (p[1] << 16) + (p[2] << 8) + p[3]; + + /* Note that msgbuf_read may cause the buffer + * (msgbuf->buffer.buf) to be reallocated. This will make + * p a wild pointer. To counter that, after msgbuf_read, + * either return an error to the caller or use 'continue' + * to restart at the top of the loop. + */ if (msgbuf->buffer.size - msgbuf->buffer.offset < 4+len) { r= msgbuf_read(state, msgbuf, &type, -- cgit v1.2.3