blob: 2d898fa5cf12e2b927b09834744f1f5478c7a74b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 28 Sep 2021 19:38:22 +0200
Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
directly to that offset before applying`% CACHE_SIZE` to get an index into
the cache array. If the random value was very high, this resulted in an
integer overflow and a negative index value and, therefore, an out-of-bounds
access of the array and in turn dereferencing invalid pointers when trying
to acquire the read lock. This most likely results in a segmentation fault.
Fixes: 764e8b2211ce ("reimplemented certificate cache")
Fixes: CVE-2021-41991
Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991]
CVE: CVE-2021-41991
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index f1579c60a9bc..ceebb3843725 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
for (try = 0; try < REPLACE_TRIES; try++)
{
/* replace a random relation */
- offset = random();
+ offset = random() % CACHE_SIZE;
for (i = 0; i < CACHE_SIZE; i++)
{
rel = &this->relations[(i + offset) % CACHE_SIZE];
--
2.25.1
|
