|
|
cURL Mailing List Monthly Index Single Mail
curl-tracker Archives
[curl:bugs] #1236 Curl double-free with pkcs12 handling
From: Nikaiw <nikaiw_at_users.sf.net>
Date: Mon, 10 Jun 2013 11:46:22 +0000
You forgot to put the "--cert-type P12" in the command line argument.
curl --cert testca-test-0.p12 --cert-type P12 https://www.sourceforge.com
curl --version
It succesfully crashed on 7.30 as well.
./curl -V
I don't have a suggested patch I don't know curl code enough, i only notice we could avoid the problem by commenting out the last "sk_X509_pop_free(ca, X509_free);" but It could and would probably introduce a previously patched memory leak.
--- ** [bugs:#1236] Curl double-free with pkcs12 handling** **Status:** open **Created:** Fri May 31, 2013 10:06 PM UTC by Nikaiw **Last Updated:** Mon Jun 10, 2013 09:22 AM UTC **Owner:** Daniel Stenberg Summary : ------- There is a double free bug in curl when using p12 client certificate to connect to an https server. Steps to reproduce : ------------------ Connect to any https server using a client certificate in pkcs12 format. curl -vvv --cert yourcertificate.p12:yourpassword --cert-type P12 https://yourserver.com eg: * About to connect() to ************ port 443 (#0) * Trying **********... * Connected to ********** (*.*.*.*) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 Erreur de segmentation (core dumped) Bug is 100% reproducible. Affected version : ---------------- Affected version are curl-7.24 to 7.30. Details : -------- Bug was introduced in following commit to fix a memory leak: https://github.com/bagder/curl/commit/6ea7acf5a96786f7514be4fbce174cdc8bedfdd1 on line 512 of ssluse.c: sk_X509_pop_free(ca, X509_free); curl is freeing data related to the handling of the certificate which may have already being freed by SSL_CTX_free call made on line 865 of ssluse.c when we are closing the ssl connexion. Here is a valgrind stacktrace: ==4136== Invalid free() / delete / delete[] / realloc() ==4136== at 0x4C2BA6C: free (vg_replace_malloc.c:446) ==4136== by 0x5B964EC: CRYPTO_free (mem.c:397) ==4136== by 0x5C4029F: asn1_item_combine_free (tasn_fre.c:176) ==4136== by 0x5C40484: ASN1_item_free (tasn_fre.c:71) ==4136== by 0x5C1E96F: sk_pop_free (stack.c:283) ==4136== by 0x590F806: SSL_CTX_free (ssl_lib.c:1947) ==4136== by 0x4E67BD4: Curl_ossl_close (ssluse.c:865) ==4136== by 0x4E89822: Curl_ssl_close (sslgen.c:421) ==4136== by 0x4E60906: Curl_disconnect (url.c:2565) ==4136== by 0x4E81B40: multi_runsingle (multi.c:1637) ==4136== by 0x4E81D54: curl_multi_perform (multi.c:1708) ==4136== by 0x4E76CDC: curl_easy_perform (easy.c:448) ==4136== Address 0x6636d00 is 0 bytes inside a block of size 184 free'd ==4136== at 0x4C2BA6C: free (vg_replace_malloc.c:446) ==4136== by 0x5B964EC: CRYPTO_free (mem.c:397) ==4136== by 0x5C4029F: asn1_item_combine_free (tasn_fre.c:176) ==4136== by 0x5C40484: ASN1_item_free (tasn_fre.c:71) ==4136== by 0x5C1E96F: sk_pop_free (stack.c:283) ==4136== by 0x4E67378: cert_stuff (ssluse.c:510) ==4136== by 0x4E68F54: ossl_connect_step1 (ssluse.c:1524) ==4136== by 0x4E6BBC8: ossl_connect_common (ssluse.c:2433) ==4136== by 0x4E6BE46: Curl_ossl_connect_nonblocking (ssluse.c:2522) ==4136== by 0x4E890A2: Curl_ssl_connect_nonblocking (sslgen.c:218) ==4136== by 0x4E49D5C: https_connecting (http.c:1345) ==4136== by 0x4E49CBA: Curl_http_connect (http.c:1315) I'm not sure the bug is exploitable nor i see any practical case. --- Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1236/> To unsubscribe from further messages, please visit <https://sourceforge.net/auth/subscriptions/>Received on 2013-06-10 These mail archives are generated by hypermail. |
Page updated May 06, 2013.
web site info