Fix invalid/double free if PKCS#11 token does not include CA certs

Commit b06b862 ("Include supporting certificates from PKCS#11 tokens") calls gnutls_free() on an invalid 't.data' value if gnutls_pkcs11_get_raw_issuer() returns an error, and calls gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import() returns an error. If the Issuer cert is not available on the PKCS#11 token, then gnutls_pkcs11_get_raw_issuer() fails and the call to gnutls_free(t.data) causes libc to print the following message then kill the process: *** Error in `/usr/sbin/openconnect': double free or corruption (!prev): 0x0000555555c69ff0 *** Signed-off-by: Paul Donohue <git@PaulSD.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Oct 24, 2014 · 3215c30 · 3215c30
1 parent eecb72c
commit 3215c30
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/gnutls.c b/gnutls.c
@@ -1492,7 +1492,10 @@ static int load_certificate(struct openconnect_info *vpninfo)
 						err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
 						if (err)
 							gnutls_x509_crt_deinit(issuer);
+						else
+							free_issuer = 1;
 					}
+					gnutls_free(t.data);
 				}
 				if (err) {
 					vpn_progress(vpninfo, PRG_ERR,
@@ -1503,8 +1506,6 @@ static int load_certificate(struct openconnect_info *vpninfo)
 					vpn_progress(vpninfo, PRG_ERR,
 						     _("Got next CA '%s' from PKCS11\n"), name);
 				}
-				free_issuer = 1;
-				gnutls_free(t.data);
 			}
 #endif
 			if (err)