~sircmpwn/gmni

b46b312817dada3c33fe33ca7ca5a01e0cc0a9f3 — Andrew 7 months ago e0993d4
gmnlm: host freed too early, causing UAF

The host variable is freed too early. If a client certificate is not
found, the later error message in the
GEMINI_STATUS_CLASS_CLIENT_CERTIFICATE_REQUIRED case uses the freed host
variable to produce an incorrect openssl command. This fix just delays
the free to after the switch statement.

Test case:
gmnlm gemini://feeds.drewdevault.com

Prior:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
 -keyout /home/andrew/.local/share/gmni/certs/€Ú-=öU.key \
 -out /home/andrew/.local/share/gmni/certs/€Ú-=öU.crt \
 -days 36500 -nodes

Now:
The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.key \
-out /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.crt \
-days 36500 -nodes
1 files changed, 1 insertions(+), 1 deletions(-)

M src/gmnlm.c
M src/gmnlm.c => src/gmnlm.c +1 -1
@@ 415,7 415,6 @@ do_requests(struct browser *browser, struct gemini_response *resp)
		} else {
			browser->opts.client_cert = NULL;
		}
		free(host);
	}

	while (requesting) {


@@ 540,6 539,7 @@ out:
		free(client_cert.key);
	}
	free(scheme);
	free(host);
	return res;
}