security-and-privacy/uts-server
security-and-privacy/uts-server
1
0
Fork 0
mirror of https://github.com/kakwa/uts-server synced 2025-01-10 05:34:29 +01:00
Code Issues Releases Wiki Activity

fix segfault in case of a bad request

Browse Source 
* if the request is wrong, the request handler tried to access the
none allocated serial, which crashes the process.
This commit is contained in:
kakwa 2016-09-05 23:09:00 +02:00
parent 33072aefe1
commit bf2fc90e30
1 changed files with 26 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/lib/rfc3161.c
View File

@ -208,6 +208,7 @@ int create_response(rfc3161_context *ct, char *query, int query_len,
goto end; goto end;
} }
// put the reponse data in *resp char *
FILE *stream = open_memstream((char **)resp, (size_t *)resp_size); FILE *stream = open_memstream((char **)resp, (size_t *)resp_size);
ret = i2d_TS_RESP_fp(stream, ts_response); ret = i2d_TS_RESP_fp(stream, ts_response);
fflush(stream); fflush(stream);
@ -222,25 +223,40 @@ end:
TS_STATUS_INFO_print_bio(status_bio, ts_response->status_info); TS_STATUS_INFO_print_bio(status_bio, ts_response->status_info);
BIO_get_mem_ptr(status_bio, &bptr); BIO_get_mem_ptr(status_bio, &bptr);
ASN1_INTEGER *serial = ts_response->tst_info->serial; char *serial_hex = NULL;
BIGNUM *serial_bn = ASN1_INTEGER_to_BN(serial, NULL);
char *serial_hex = BN_bn2hex(serial_bn);
BN_free(serial_bn);
*serial_id = calloc(SERIAL_ID_SIZE + 1, sizeof(char)); *serial_id = calloc(SERIAL_ID_SIZE + 1, sizeof(char));
// if we have a proper response, we recover the serial to identify the logs
if (ts_response->tst_info != NULL &&
ts_response->tst_info->serial != NULL) {
ASN1_INTEGER *serial = ts_response->tst_info->serial;
BIGNUM *serial_bn = ASN1_INTEGER_to_BN(serial, NULL);
serial_hex = BN_bn2hex(serial_bn);
BN_free(serial_bn);
} else {
serial_hex = calloc(SERIAL_ID_SIZE, sizeof(char));
strncpy(serial_hex, " NO ID ", SERIAL_ID_SIZE + 2);
}
// get a short version of the serial (150 bits in hexa is a bit long)
strncpy(*serial_id, serial_hex, SERIAL_ID_SIZE); strncpy(*serial_id, serial_hex, SERIAL_ID_SIZE);
// log the full serial as a debug message
uts_logger(ct, LOG_DEBUG,
"timestamp full serial: %s (response serial '%s...')",
serial_hex, *serial_id);
free(serial_hex);
// replacing '\n' by '|' to log on one line only // replacing '\n' by '|' to log on one line only
char *temp = strstr(bptr->data, "\n"); char *temp = strstr(bptr->data, "\n");
while (temp != NULL && (temp = strstr(bptr->data, "\n")) != NULL) { while (temp != NULL && (temp = strstr(bptr->data, "\n")) != NULL) {
temp[0] = '|'; temp[0] = '|';
} }
uts_logger(ct, LOG_DEBUG, // log the full responce status, info and failure info
"timestamp full serial: %s (response serial '%s...')",
serial_hex, *serial_id);
uts_logger(ct, LOG_DEBUG, uts_logger(ct, LOG_DEBUG,
"TimeStamp OpenSSL status: |%s (response serial '%s...')", "TimeStamp OpenSSL status: |%s (response serial '%s...')",
bptr->data, *serial_id); bptr->data, *serial_id);
// emit logs according the return value
long status = ASN1_INTEGER_get(ts_response->status_info->status); long status = ASN1_INTEGER_get(ts_response->status_info->status);
switch (status) { switch (status) {
case TS_STATUS_GRANTED: case TS_STATUS_GRANTED:
@ -287,6 +303,7 @@ end:
ret = 0; ret = 0;
} }
// log the openssl errors
while ((err_code = ERR_get_error())) { while ((err_code = ERR_get_error())) {
if (err_code_prev != err_code) { if (err_code_prev != err_code) {
ERR_load_TS_strings(); ERR_load_TS_strings();
@ -298,9 +315,10 @@ end:
} }
err_code_prev = err_code; err_code_prev = err_code;
} }
// some cleaning
BIO_free_all(status_bio); BIO_free_all(status_bio);
TS_RESP_free(ts_response); TS_RESP_free(ts_response);
free(serial_hex);
return ret; return ret;
} }