~sircmpwn/gmni: gmnlm: host freed too early, causing UAF

b46b312817dada3c33fe33ca7ca5a01e0cc0a9f3 — Andrew 1 year, 11 months ago e0993d4

gmnlm: host freed too early, causing UAF

The host variable is freed too early. If a client certificate is not
found, the later error message in the
GEMINI_STATUS_CLASS_CLIENT_CERTIFICATE_REQUIRED case uses the freed host
variable to produce an incorrect openssl command. This fix just delays
the free to after the switch statement.

Test case:
gmnlm gemini://feeds.drewdevault.com

Prior:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
 -keyout /home/andrew/.local/share/gmni/certs/Ú-=öU.key \
 -out /home/andrew/.local/share/gmni/certs/Ú-=öU.crt \
 -days 36500 -nodes

Now:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.key \
-out /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.crt \
-days 36500 -nodes

patch browse .tar.gz

1 files changed, 1 insertions(+), 1 deletions(-)

M src/gmnlm.c

M src/gmnlm.c => src/gmnlm.c +1 -1

@@ 415,7 415,6 @@ do_requests(struct browser *browser, struct gemini_response *resp)
 		} else {
 			browser->opts.client_cert = NULL;
 		}
-		free(host);
 	}
 
 	while (requesting) {


@@ 540,6 539,7 @@ out:
 		free(client_cert.key);
 	}
 	free(scheme);
+	free(host);
 	return res;
 }