From: Tobias Brunner Date: Tue, 28 Sep 2021 17:38:22 +0000 (+0200) Subject: cert-cache: Prevent crash due to integer overflow/sign change X-Git-Tag: 5.9.4~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dceed8e099c8f9d5606fa7e5a0742fb5e023103b;p=thirdparty%2Fstrongswan.git cert-cache: Prevent crash due to integer overflow/sign change random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added directly to that offset before applying`% CACHE_SIZE` to get an index into the cache array. If the random value was very high, this resulted in an integer overflow and a negative index value and, therefore, an out-of-bounds access of the array and in turn dereferencing invalid pointers when trying to acquire the read lock. This most likely results in a segmentation fault. Fixes: 764e8b2211ce ("reimplemented certificate cache") Fixes: CVE-2021-41991 --- diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index f1579c60a9..ceebb38437 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this, for (try = 0; try < REPLACE_TRIES; try++) { /* replace a random relation */ - offset = random(); + offset = random() % CACHE_SIZE; for (i = 0; i < CACHE_SIZE; i++) { rel = &this->relations[(i + offset) % CACHE_SIZE];