Index | Thread | Search

From:
Theo Buehler <tb@theobuehler.org>
Subject:
Re: rpki-client: avoid crash in file mode
To:
tech@openbsd.org
Date:
Thu, 6 Jun 2024 08:03:47 +0200

Download raw body.

Thread 
On Thu, Jun 06, 2024 at 07:57:53AM +0200, Claudio Jeker wrote:
> On Thu, Jun 06, 2024 at 07:44:59AM +0200, Theo Buehler wrote:
> > Looking at an expired TA cert crashes because ta_parse() frees cert
> > while expires and notafter still point at members of that struct.
> > Since expires != NULL, we'll try to cert_print(NULL) and boom.

> It seems other code only clears expires but not notafter. Should those
> bits also be adjusted and clear notafter as well?

Right, I noticed the one in the other branch right after sending. I
think I prefer to invalidate and reset after we know they're good.

Can't spot more than this one.

Index: filemode.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
diff -u -p -r1.42 filemode.c
--- filemode.c	20 May 2024 15:51:43 -0000	1.42
+++ filemode.c	6 Jun 2024 06:01:04 -0000
@@ -526,9 +526,15 @@ proc_parser_file(char *file, unsigned ch
 			constraints_validate(file, cert);
 		}
 	} else if (is_ta) {
+		expires = NULL;
+		notafter = NULL;
 		if ((tal = find_tal(cert)) != NULL) {
 			cert = ta_parse(file, cert, tal->pkey, tal->pkeysz);
 			status = (cert != NULL);
+			if (status) {
+				expires = &cert->expires;
+				notafter = &cert->notafter;
+			}
 			if (outformats & FORMAT_JSON)
 				json_do_string("tal", tal->descr);
 			else
@@ -538,7 +544,6 @@ proc_parser_file(char *file, unsigned ch
 		} else {
 			cert_free(cert);
 			cert = NULL;
-			expires = NULL;
 			status = 0;
 		}
 	}