From patchwork Sat Oct 6 23:00:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 497 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id mEGQDoXZuVtzDgAAIUCqbw for ; Sun, 07 Oct 2018 06:01:41 -0400 Received: from director8.mail.ord1c.rsapps.net ([172.28.255.1]) by director9.mail.ord1d.rsapps.net with LMTP id cAhqDoXZuVtHOwAAalYnBA ; Sun, 07 Oct 2018 06:01:41 -0400 Received: from smtp19.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director8.mail.ord1c.rsapps.net with LMTP id cM8QFIXZuVstYAAAPBwpBw ; Sun, 07 Oct 2018 06:01:41 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: fc52473e-ca17-11e8-a646-bc305bf036e4-1-1 Received: from [216.105.38.7] ([216.105.38.7:23345] helo=lists.sourceforge.net) by smtp19.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 12/5B-00939-489D9BB5; Sun, 07 Oct 2018 06:01:40 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1g95rl-0007AP-HO; Sun, 07 Oct 2018 10:00:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1g95rk-0007AJ-4n for openvpn-devel@lists.sourceforge.net; Sun, 07 Oct 2018 10:00:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+n5Gsk0wT1Irw88oNWEboCH6qd3oifOsARHDYSBXmjI=; b=BzGUwZ2hTNkzaFda1BGtrMDvqr +b/Fk3tQx2y2wFDgCWZ+niwMuC4j+6rJVdzbdO1aenT4LhRpbaTxZ+CO6OV7t5Qt3XDoumnoJXJ4H zTxC2YYbeOgMOY1UVnXy7TJlpzwkvB49nXX28M9oAvAcNNdZUX1kqKTcr4nQELdWa+JQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+n5Gsk0wT1Irw88oNWEboCH6qd3oifOsARHDYSBXmjI=; b=VbBFTIbLFfdBdED/1zRYv1HGaZ toFd5oIBH+lq1rIIc8w1jjj0kAPsoOPDL/nhmxIingNzWGqj4CtdWeO9SFcKHbfNWnHPVqDgCfWfw tck9l0d18OcjIZfGq23dDSliEFls+AsiQbfOuxChm50+583PogzDHdqpyunjZg/00BZ4=; Received: from mail-ed1-f47.google.com ([209.85.208.47]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1g95rh-00DoBa-Ei for openvpn-devel@lists.sourceforge.net; Sun, 07 Oct 2018 10:00:48 +0000 Received: by mail-ed1-f47.google.com with SMTP id b7-v6so8528148edd.9 for ; Sun, 07 Oct 2018 03:00:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=+n5Gsk0wT1Irw88oNWEboCH6qd3oifOsARHDYSBXmjI=; b=kvQw7cwVBG10YgYJ8uABzVaXQjodwUWBbQk/SypT3MoXmPeJm5Kbi0zMY5lWPJ5qby WOczeZeJxWnngAcu74PY0va34CATo38y6PQL1g++llmzUxQItLOvYB2vH7YuEG1cfgnR ZcWDxji7DRqTbKovT1FuLJYk1BA0e9u+5/5ThSOHEkR/5G1Sw0J0npZrgF0yAWzx6/2k mv8VYHFkANWCly62aqFrK+955++0habJ8ItFksgz9fD1HPSYZcp3new0ZirCqRWK9mB7 v68edLsbgq6T3WTvemwfNh0hA46AukuQoUr4SqGGU1w1YqBVuAm7DPCM+Tf3xoUUoxBT 4Uyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+n5Gsk0wT1Irw88oNWEboCH6qd3oifOsARHDYSBXmjI=; b=g4izUixKKyeKtSj+KUUJiVBWrVLlTdbqAzNdWOzoLYVbikrybfR60kf/lVNJWkUe/S 5fwSqRBIKX0ul65DzLSbXtrON2Vfc/fmxsUOjZw12SEY3GeQwCPzc4n69ltJtIaVppIY 6XTzPfif6+oveC0TWbJjCPuYlmcxJ4hXppWSLPKc/xvJoQyRYfvnjlzECKh6wPCv7mwM p3CRkLrkw0cEtz5cRljafsOz9eUGX2A9YPf+tDXn7aMKb8ozlnCLwnP4V4OJzkAp/niq Ib/onLSIZnz4jFe4GWrjoDUWskfoLx7biPJ/tt1OUy/1ZNf7scFRXyQ1mJsW22nGTmHt 12dA== X-Gm-Message-State: ABuFfojSES+GyHjFi0JuU2x5DmXJ+PKwBSRpvz/BZk6H1kmx0MpOLGlO P6IGBUpv+CcUKijjzDCg5pDOFZhJNIiZJQ== X-Google-Smtp-Source: ACcGV61ebkvsZMgH4kFuJRudjFFsplWrWwqY3BnJ69qTctZyRkOXzsXJZOXev0ZVsnIDAGzhWOEPuw== X-Received: by 2002:a17:906:6a8f:: with SMTP id p15-v6mr2511724ejr.235.1538906438476; Sun, 07 Oct 2018 03:00:38 -0700 (PDT) Received: from localhost.localdomain ([2001:985:e54:1050::1000]) by smtp.gmail.com with ESMTPSA id e30-v6sm4283352edd.25.2018.10.07.03.00.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Oct 2018 03:00:37 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 7 Oct 2018 12:00:32 +0200 Message-Id: <20181007100032.17060-1-steffan@karger.me> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.47 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.208.47 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_MED DKIMwl.org - Whitelisted Medium sender -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1g95rh-00DoBa-Ei Subject: [Openvpn-devel] [PATCH] Fix use-after-free in tls_ctx_use_management_external_key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Commit 98bfeeb4 changed our openssl backend implementation of tls_ctx_use_management_external_key() to no longer use tls_ctx_load_cert_file_and_copy(), but still free'd 'cert'. Which it no longer should do. Credits go to Arne for spotting the issue (even though it was missed during the review). The offending commit is only recently applied to the master branch, so was never part of a OpenVPN release. For that reason I did not do full impact analysis. Signed-off-by: Steffan Karger Acked-By: Arne Schwabe --- src/openvpn/ssl_openssl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index fe4db604..7532773e 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1291,7 +1291,6 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) /* get the public key */ EVP_PKEY *pkey = X509_get0_pubkey(cert); ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ - X509_free(cert); if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {