diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2021-09-28 19:38:22 +0200 |
|---|---|---|
| committer | Daniil Baturin <daniil@vyos.io> | 2021-11-24 10:17:53 -0500 |
| commit | cfdaa88a6a069d98d082fc464cd4b4aa7ff3105d (patch) | |
| tree | 5fbd6bee4e0460bb5ec8b4071e732d0b3b1abdd2 | |
| parent | 2d899ce706ccb01dc9e8193aebca297058094391 (diff) | |
| download | vyos-strongswan-crux.tar.gz vyos-strongswan-crux.zip | |
random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
directly to that offset before applying`% CACHE_SIZE` to get an index into
the cache array. If the random value was very high, this resulted in an
integer overflow and a negative index value and, therefore, an out-of-bounds
access of the array and in turn dereferencing invalid pointers when trying
to acquire the read lock. This most likely results in a segmentation fault.
Fixes: 764e8b2211ce ("reimplemented certificate cache")
Fixes: CVE-2021-41991
Signed-off-by: Daniil Baturin <daniil@vyos.io>
| -rw-r--r-- | src/libstrongswan/credentials/sets/cert_cache.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index f1579c60a..ceebb3843 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this, for (try = 0; try < REPLACE_TRIES; try++) { /* replace a random relation */ - offset = random(); + offset = random() % CACHE_SIZE; for (i = 0; i < CACHE_SIZE; i++) { rel = &this->relations[(i + offset) % CACHE_SIZE]; |