[gnutls-devel] GnuTLS | memleak found by fuzz (#1071)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Aug 20 05:41:10 CEST 2020
lutianxiong commented:
i found heap-memory address stored in session->key.proto.tls12 was overwrite by read_server_hello(handshake.c,line 1947)
```
if (!vers->tls13_sem) {
gnutls_memset(&session->key.proto.tls13, 0,
sizeof(session->key.proto.tls13));
reset_binders(session);
}
```
following is debuginfo:
```
1947 if (!vers->tls13_sem) {
(gdb) p session->key.proto.tls12.dh
$7 = {params = {params = {0x602000004d10, 0x0, 0x602000004cd0, 0x0 <repeats 13 times>}, params_nr = 3, pkflags = 0, qbits = 0, curve = GNUTLS_ECC_CURVE_INVALID, dh_group = GNUTLS_GROUP_INVALID, gost_params = GNUTLS_GOST_PARAMSET_UNKNOWN, raw_pub = {data = 0x0,
size = 0}, raw_priv = {data = 0x0, size = 0}, seed_size = 0, seed = '\000' <repeats 255 times>, palgo = GNUTLS_DIG_UNKNOWN, spki = {pk = GNUTLS_PK_UNKNOWN, rsa_pss_dig = GNUTLS_DIG_UNKNOWN, salt_size = 0, legacy = 0, dsa_dig = GNUTLS_DIG_UNKNOWN, flags = 0},
algo = GNUTLS_PK_DH}, client_Y = 0x602000004cb0}
(gdb) n
1948 gnutls_memset(&session->key.proto.tls13, 0,
(gdb) n
1950 reset_binders(session);
(gdb) n
1956 if (!vers->tls13_sem &&
(gdb) p session->key.proto.tls12.dh
$8 = {params = {params = {0x602000000000, 0x0, 0x602000004cd0, 0x0 <repeats 13 times>}, params_nr = 3, pkflags = 0, qbits = 0, curve = GNUTLS_ECC_CURVE_INVALID, dh_group = GNUTLS_GROUP_INVALID, gost_params = GNUTLS_GOST_PARAMSET_UNKNOWN, raw_pub = {data = 0x0,
size = 0}, raw_priv = {data = 0x0, size = 0}, seed_size = 0, seed = '\000' <repeats 255 times>, palgo = GNUTLS_DIG_UNKNOWN, spki = {pk = GNUTLS_PK_UNKNOWN, rsa_pss_dig = GNUTLS_DIG_UNKNOWN, salt_size = 0, legacy = 0, dsa_dig = GNUTLS_DIG_UNKNOWN, flags = 0},
algo = GNUTLS_PK_DH}, client_Y = 0x602000004cb0}
(gdb)
```
later, while gnutls_deinit the session:
gnutls_pk_params_release(&session->key.proto.tls12.dh.params) trigger the read-heap-buffer-overflow
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1071#note_399141602
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200820/aac5de73/attachment-0001.html>
More information about the Gnutls-devel
mailing list