diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2021-09-28 19:38:22 +0200 |
|---|---|---|
| committer | Daniil Baturin <daniil@vyos.io> | 2021-11-24 10:17:39 -0500 |
| commit | 7d5961bab37fe964170fc020b24e6e71bf25cc19 (patch) | |
| tree | 714132814e13944d2fcf1acac98cc998015ace96 /testing/tests/ikev2/ip-two-pools/evaltest.dat | |
| parent | b22f839a05d88cb35dfa8dfc9fa814e6e8dfe67c (diff) | |
| download | vyos-strongswan-1.3.8.tar.gz vyos-strongswan-1.3.8.zip | |
cert-cache: Prevent crash due to integer overflow/sign change1.3.81.3.71.3.61.3.51.3.41.3.3-epa11.3.31.3.2equuleus
random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
directly to that offset before applying`% CACHE_SIZE` to get an index into
the cache array. If the random value was very high, this resulted in an
integer overflow and a negative index value and, therefore, an out-of-bounds
access of the array and in turn dereferencing invalid pointers when trying
to acquire the read lock. This most likely results in a segmentation fault.
Fixes: 764e8b2211ce ("reimplemented certificate cache")
Fixes: CVE-2021-41991
Signed-off-by: Daniil Baturin <daniil@vyos.io>
Diffstat (limited to 'testing/tests/ikev2/ip-two-pools/evaltest.dat')
0 files changed, 0 insertions, 0 deletions