summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2021-09-28 19:38:22 +0200
committerDaniil Baturin <daniil@vyos.io>2021-11-24 10:17:39 -0500
commit7d5961bab37fe964170fc020b24e6e71bf25cc19 (patch)
tree714132814e13944d2fcf1acac98cc998015ace96
parentb22f839a05d88cb35dfa8dfc9fa814e6e8dfe67c (diff)
downloadvyos-strongswan-7d5961bab37fe964170fc020b24e6e71bf25cc19.tar.gz
vyos-strongswan-7d5961bab37fe964170fc020b24e6e71bf25cc19.zip
cert-cache: Prevent crash due to integer overflow/sign change1.3.81.3.71.3.61.3.51.3.41.3.3-epa11.3.31.3.2equuleus
random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added directly to that offset before applying`% CACHE_SIZE` to get an index into the cache array. If the random value was very high, this resulted in an integer overflow and a negative index value and, therefore, an out-of-bounds access of the array and in turn dereferencing invalid pointers when trying to acquire the read lock. This most likely results in a segmentation fault. Fixes: 764e8b2211ce ("reimplemented certificate cache") Fixes: CVE-2021-41991 Signed-off-by: Daniil Baturin <daniil@vyos.io>
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index f1579c60a..ceebb3843 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
for (try = 0; try < REPLACE_TRIES; try++)
{
/* replace a random relation */
- offset = random();
+ offset = random() % CACHE_SIZE;
for (i = 0; i < CACHE_SIZE; i++)
{
rel = &this->relations[(i + offset) % CACHE_SIZE];