[PATCH] fix segfault due to unitialized variable

Matthias Petschick razzle at razzle.de
Thu Nov 22 06:40:10 EST 2012


Hi,

x509_crt_copy in ne_gnutls.c depends on the local size variable being 0
(or small enough) so that the subsequent call to gnutls_x509_crt_export
updates the variable to the correct size to hold the certificate. Since
size is used unitialized, the value for it is undefined and more than
likely not 0, resulting in gnutls_x509_crt_export not returning
GNUTLS_E_SHORT_MEMORY_BUFFER and consequently x509_crt_copy returning NULL.
This is not caught by make_peers_chain which then passes the NULL
pointer to populate_cert, which eventually causes a segfault down the
road when NULL is dereferenced by get_dn in gnutls.

The attached patch makes sure size is initialized correctly to 0 and
checks if x509_crt_copy returns NULL.


Cheers,

Matthias

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ne_gnutls.c.patch
Type: text/x-patch
Size: 805 bytes
Desc: not available
Url : http://lists.manyfish.co.uk/pipermail/neon/attachments/20121122/6a96545b/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
Url : http://lists.manyfish.co.uk/pipermail/neon/attachments/20121122/6a96545b/attachment-0001.bin 


More information about the neon mailing list