From: Jiri Denemark <jdenemar@redhat.com>
Date: Thu, 10 Feb 2022 15:16:48 +0000 (+0100)
Subject: qemu_migration_cookie: Properly fetch cert DN
X-Git-Tag: v8.1.0-rc1~112
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a311593e5eb8d464a6033ccfab62932c701071d;p=thirdparty%2Flibvirt.git

qemu_migration_cookie: Properly fetch cert DN

If 1024 was not enough to fit the DN, gnutls_x509_crt_get_dn would store
the required size in subjectlen. And since we're not checking the return
value of this function, we would happily overwrite some random memory.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/qemu/qemu_migration_cookie.c b/src/qemu/qemu_migration_cookie.c
index 76a01781d6..5d14e271c1 100644
--- a/src/qemu/qemu_migration_cookie.c
+++ b/src/qemu/qemu_migration_cookie.c
@@ -180,12 +180,12 @@ static char *
 qemuDomainExtractTLSSubject(const char *certdir)
 {
     g_autofree char *certfile = NULL;
-    char *subject = NULL;
+    g_autofree char *subject = NULL;
     g_autofree char *pemdata = NULL;
     gnutls_datum_t pemdatum;
     gnutls_x509_crt_t cert;
     int rc;
-    size_t subjectlen;
+    size_t subjectlen = 256;
 
     certfile = g_strdup_printf("%s/server-cert.pem", certdir);
 
@@ -214,13 +214,21 @@ qemuDomainExtractTLSSubject(const char *certdir)
         return NULL;
     }
 
-    subjectlen = 1024;
     subject = g_new0(char, subjectlen + 1);
-
-    gnutls_x509_crt_get_dn(cert, subject, &subjectlen);
+    rc = gnutls_x509_crt_get_dn(cert, subject, &subjectlen);
+    if (rc == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+        subject = g_realloc(subject, subjectlen + 1);
+        rc = gnutls_x509_crt_get_dn(cert, subject, &subjectlen);
+    }
+    if (rc != 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("cannot get cert distinguished name: %s"),
+                       gnutls_strerror(rc));
+        return NULL;
+    }
     subject[subjectlen] = '\0';
 
-    return subject;
+    return g_steal_pointer(&subject);
 }