cert-cache: Prevent crash due to integer overflow/sign change

random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
equaling INT_MAX = 2^31-1.  Previously, values between 0 and 31 were added
directly to that offset before applying`% CACHE_SIZE` to get an index into
the cache array.  If the random value was very high, this resulted in an
integer overflow and a negative index value and, therefore, an out-of-bounds
access of the array and in turn dereferencing invalid pointers when trying
to acquire the read lock.  This most likely results in a segmentation fault.

Fixes: 764e8b2211ce ("reimplemented certificate cache")
Fixes: CVE-2021-41991

diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index f1579c60a9bc88ae01a20c12b13f8a6bbaccbef3..ceebb3843725b773a61e2ecbe01d56858db87082 100644 (file)
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
        for (try = 0; try < REPLACE_TRIES; try++)
        {
                /* replace a random relation */
-               offset = random();
+               offset = random() % CACHE_SIZE;
                for (i = 0; i < CACHE_SIZE; i++)
                {
                        rel = &this->relations[(i + offset) % CACHE_SIZE];