diff mbox series

[Openvpn-devel] Check if pkcs11_cert is NULL before freeing it

Message ID 20221123154912.28394-1-maximilian.fillinger@foxcrypto.com
State Accepted
Headers show
Series [Openvpn-devel] Check if pkcs11_cert is NULL before freeing it | expand

Commit Message

Maximilian Fillinger Nov. 23, 2022, 3:49 p.m. UTC 
When running openvpn --show-tls with mbedtls, it showed a null pointer
error at the end because of this.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 src/openvpn/ssl_mbedtls.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Arne Schwabe Nov. 23, 2022, 5:17 p.m. UTC | #1 
Am 23.11.22 um 16:49 schrieb Max Fillinger:
> When running openvpn --show-tls with mbedtls, it showed a null pointer
> error at the end because of this.
> 
> Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
> ---
>   src/openvpn/ssl_mbedtls.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> index ea06cf70..aa55a1a0 100644
> --- a/src/openvpn/ssl_mbedtls.c
> +++ b/src/openvpn/ssl_mbedtls.c
> @@ -165,7 +165,10 @@ tls_ctx_free(struct tls_root_ctx *ctx)
>           free(ctx->crl);
>   
>   #if defined(ENABLE_PKCS11)
> -        pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
> +        if (ctx->pkcs11_cert)
> +        {
> +            pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
> +        }
>   #endif
>   
>           free(ctx->allowed_ciphers);

Sigh, a function that violates the C paradigm that calling somethingfree 
on a null pointer is fine. Maybe we should add as a comment that this 
function is special in this way.

Acked-By: Arne Schwabe <arne@rfc2549.org>

Arne
Selva Nair Nov. 23, 2022, 6:37 p.m. UTC | #2 
Hi,

On Wed, Nov 23, 2022 at 12:18 PM Arne Schwabe <arne@rfc2549.org> wrote:

> Am 23.11.22 um 16:49 schrieb Max Fillinger:
> > When running openvpn --show-tls with mbedtls, it showed a null pointer
> > error at the end because of this.
> >
> > Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
> > ---
> >   src/openvpn/ssl_mbedtls.c | 5 ++++-
> >   1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> > index ea06cf70..aa55a1a0 100644
> > --- a/src/openvpn/ssl_mbedtls.c
> > +++ b/src/openvpn/ssl_mbedtls.c
> > @@ -165,7 +165,10 @@ tls_ctx_free(struct tls_root_ctx *ctx)
> >           free(ctx->crl);
> >
> >   #if defined(ENABLE_PKCS11)
> > -        pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
> > +        if (ctx->pkcs11_cert)
> > +        {
> > +            pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
> > +        }
> >   #endif
> >
> >           free(ctx->allowed_ciphers);
>
> Sigh, a function that violates the C paradigm that calling somethingfree
> on a null pointer is fine. Maybe we should add as a comment that this
> function is special in this way.
>

pkcs11h_certiciate_freeCertificate() does seem to handle NULL argument.
With --show-tls, are we calling this before intializing the pkcs11 library?
That could trigger an ASSERT.

Selva
Gert Doering Nov. 23, 2022, 7:19 p.m. UTC | #3 
Hi,

On Wed, Nov 23, 2022 at 01:37:47PM -0500, Selva Nair wrote:
> pkcs11h_certiciate_freeCertificate() does seem to handle NULL argument.
> With --show-tls, are we calling this before intializing the pkcs11 library?
> That could trigger an ASSERT.

If I build on Linux with mbedtls && --enable-pkcs11 (which I normally
don't do), and run --show-tls, this is what happens...

TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256
TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256
TLS-PSK-WITH-AES-128-CCM-8
openvpn: pkcs11h-certificate.c:1213: pkcs11h_certificate_freeCertificate: Assertion `_g_pkcs11h_data!=NULL' failed.
Aborted (core dumped)

... so, the crash seems to agree with your analysis :-)

gert
Gert Doering Nov. 23, 2022, 9:09 p.m. UTC | #4 
Confirmed that it crashes without the patch, and does not crash with it.

Added a comment, as suggested.

Your patch has been applied to the master and release/2.5 branch (bugfix).

commit 19c64f16baebbce966d55c62135d1ef066f7c8c2 (master)
commit 4f5e57d2c7ff9384b16c42eb9aa5af11d31f5dd1 (release/2.5)
Author: Max Fillinger
Date:   Wed Nov 23 16:49:12 2022 +0100

     Check if pkcs11_cert is NULL before freeing it

     Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Message-Id: <20221123154912.28394-1-maximilian.fillinger@foxcrypto.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25530.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ea06cf70..aa55a1a0 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -165,7 +165,10 @@  tls_ctx_free(struct tls_root_ctx *ctx)
         free(ctx->crl);
 
 #if defined(ENABLE_PKCS11)
-        pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
+        if (ctx->pkcs11_cert)
+        {
+            pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
+        }
 #endif
 
         free(ctx->allowed_ciphers);