From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 3 Dec 2020 11:14:35 +0000 (+0100)
Subject: imv-scanner: Fix potentially unsafe port filter attribute destruction
X-Git-Tag: 5.9.2dr1~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb4cd8e3b1e46ceeb748bf21f3d958911f19aa42;p=thirdparty%2Fstrongswan.git

imv-scanner: Fix potentially unsafe port filter attribute destruction

DESTROY_IF() checks if the given value is not NULL, before calling
destroy() on it, which does not work for sub-structs.  If
port_filter_attr is NULL, this could crash.
---

diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index 2429733a59..5606c30120 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -321,8 +321,12 @@ METHOD(imv_state_t, reset, void,
 
 	this->handshake_state = IMV_SCANNER_STATE_INIT;
 
-	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
-	this->port_filter_attr = NULL;
+	if (this->port_filter_attr)
+	{
+		this->port_filter_attr->pa_tnc_attribute.destroy(
+									&this->port_filter_attr->pa_tnc_attribute);
+		this->port_filter_attr = NULL;
+	}
 	this->violating_ports->destroy_function(this->violating_ports, free);
 	this->violating_ports = linked_list_create();
 }
@@ -333,7 +337,11 @@ METHOD(imv_state_t, destroy, void,
 	DESTROY_IF(this->session);
 	DESTROY_IF(this->reason_string);
 	DESTROY_IF(this->remediation_string);
-	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+	if (this->port_filter_attr)
+	{
+		this->port_filter_attr->pa_tnc_attribute.destroy(
+									&this->port_filter_attr->pa_tnc_attribute);
+	}
 	this->contracts->destroy(this->contracts);
 	this->violating_ports->destroy_function(this->violating_ports, free);
 	free(this);
@@ -354,7 +362,11 @@ METHOD(imv_scanner_state_t, get_handshake_state, imv_scanner_handshake_state_t,
 METHOD(imv_scanner_state_t, set_port_filter_attr, void,
 	private_imv_scanner_state_t *this, ietf_attr_port_filter_t *attr)
 {
-	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+	if (this->port_filter_attr)
+	{
+		this->port_filter_attr->pa_tnc_attribute.destroy(
+									&this->port_filter_attr->pa_tnc_attribute);
+	}
 	this->port_filter_attr = attr;
 }