diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-09-24 11:58:06 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2015-10-02 16:51:56 -0400 |
commit | 9a81757673c89db67d7e4a6772b86fc713aebef6 (patch) | |
tree | ffd5fb053f13a596d17575d6675951eed5b9abf0 | |
parent | 837ab07aa506fce30a433454ca8de99073e660ad (diff) | |
download | mod_nss-9a81757673c89db67d7e4a6772b86fc713aebef6.tar.gz mod_nss-9a81757673c89db67d7e4a6772b86fc713aebef6.tar.xz mod_nss-9a81757673c89db67d7e4a6772b86fc713aebef6.zip |
Fix invalid read when retrieving PEM certificate
Based heavily on patch submitted by Stanislav Tokos <stokos@suse.de>
==30687== Invalid read of size 1
==30687== at 0x4C2D902: memmove (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30687== by 0x9D0A844: nss_var_lookup_nss_cert_PEM (string3.h:58)
==30687== by 0x9D0AF58: nss_var_lookup_nss_cert
(nss_engine_vars.c:437)
==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339)
==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878)
==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork)
==30687== by 0x15B2C7: ap_process_request (in
/usr/sbin/httpd2-prefork)
==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x153C52: ap_run_process_connection (in
/usr/sbin/httpd2-prefork)
==30687== by 0x1602DD: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x160585: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x1610AC: ap_mpm_run (in /usr/sbin/httpd2-prefork)
==30687== Address 0xf8cbc11 is 0 bytes after a block of size 1,745
alloc'd
==30687== at 0x4C29F09: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30687== by 0xAD0573F: PORT_Alloc_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0xACFE179: NSSBase64_EncodeItem_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0xACFE1DA: BTOA_DataToAscii_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0x9D0A7EC: nss_var_lookup_nss_cert_PEM
(nss_engine_vars.c:569)
==30687== by 0x9D0AF58: nss_var_lookup_nss_cert
(nss_engine_vars.c:437)
==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339)
==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878)
==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork)
==30687== by 0x15B2C7: ap_process_request (in
/usr/sbin/httpd2-prefork)
==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x153C52: ap_run_process_connection (in
/usr/sbin/httpd2-prefork)
-rw-r--r-- | nss_engine_vars.c | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/nss_engine_vars.c b/nss_engine_vars.c index 15fc9b4..0a4dd14 100644 --- a/nss_engine_vars.c +++ b/nss_engine_vars.c @@ -578,19 +578,14 @@ static char *nss_var_lookup_nss_cert_PEM(apr_pool_t *p, CERTCertificate *xs) * similar to mod_ssl. */ i=0; len = strlen(tmp); - while (tmp[i] != '\0') { + for (i=0; i < len; i++) { if (tmp[i] == '\r') { - memmove(&tmp[i], &tmp[i+1], 1+(len - i)); + memmove(&tmp[i], &tmp[i+1], 1+(len - i - 1)); } i++; } - /* Allocate the size of the cert + header + footer + 1 */ - result = apr_palloc(p, strlen(tmp) + 29 + 27 + 1); - strcpy(result, CERT_HEADER); - strcat(result, tmp); - strcat(result, CERT_TRAILER); - result[strlen(tmp) + 29 + 27] = '\0'; + result = apr_pstrcat(p, CERT_HEADER, tmp, CERT_TRAILER, NULL); /* Clean up memory. */ PR_Free(tmp); |