prevent NSS from crashing on client auth hook failure

This commit is contained in:
Kamil Dudka 2013-01-15 13:48:21 +01:00
parent a4b7e93f2e
commit a5f3441ddf
2 changed files with 76 additions and 1 deletions

View File

@ -0,0 +1,68 @@
From c011938e10bf3af5896d0f7f5ecffc22150303f3 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 3 Dec 2012 13:17:50 +0100
Subject: [PATCH 1/3] nss: prevent NSS from crashing on client auth hook failure
Although it is not explicitly stated in the documentation, NSS uses
*pRetCert and *pRetKey even if the client authentication hook returns
a failure. Namely, if we destroy *pRetCert without clearing *pRetCert
afterwards, NSS destroys the certificate once again, which causes a
double free.
Reported by: Bob Relyea
[upstream commit 68d2830ee9df50961e481e81c1baaa290c33f03e]
---
lib/nss.c | 17 +++++++++++------
1 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index 22b53bf..794eccb 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -757,6 +757,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
static const char pem_slotname[] = "PEM Token #1";
SECItem cert_der = { 0, NULL, 0 };
void *proto_win = SSL_RevealPinArg(sock);
+ struct CERTCertificateStr *cert;
+ struct SECKEYPrivateKeyStr *key;
PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname);
if(NULL == slot) {
@@ -771,24 +773,27 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
return SECFailure;
}
- *pRetCert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win);
+ cert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win);
SECITEM_FreeItem(&cert_der, PR_FALSE);
- if(NULL == *pRetCert) {
+ if(NULL == cert) {
failf(data, "NSS: client certificate from file not found");
PK11_FreeSlot(slot);
return SECFailure;
}
- *pRetKey = PK11_FindPrivateKeyFromCert(slot, *pRetCert, NULL);
+ key = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
PK11_FreeSlot(slot);
- if(NULL == *pRetKey) {
+ if(NULL == key) {
failf(data, "NSS: private key from file not found");
- CERT_DestroyCertificate(*pRetCert);
+ CERT_DestroyCertificate(cert);
return SECFailure;
}
infof(data, "NSS: client certificate from file\n");
- display_cert_info(data, *pRetCert);
+ display_cert_info(data, cert);
+
+ *pRetCert = cert;
+ *pRetKey = key;
return SECSuccess;
}
--
1.7.1

View File

@ -1,13 +1,16 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.28.1
Release: 1%{?dist}
Release: 2%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
Source2: curlbuild.h
Source3: hide_selinux.c
# prevent NSS from crashing on client auth hook failure
Patch1: 0001-curl-7.28.1-68d2830e.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.27.0-multilib.patch
@ -101,6 +104,7 @@ documentation of the library, too.
%setup -q
# upstream patches
%patch1 -p1
# Fedora patches
%patch101 -p1
@ -224,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
* Tue Jan 15 2013 Kamil Dudka <kdudka@redhat.com> 7.28.1-2
- prevent NSS from crashing on client auth hook failure
* Tue Nov 20 2012 Kamil Dudka <kdudka@redhat.com> 7.28.1-1
- new upstream release