lib/psk: add null check for binder algo

Currently, `pskcred->binder_algo` is used without checking first if it
is valid. This can lead to a NULL pointer dereference in cases such as
[1]. This patch adds NULL check `pskcred->binder_algo` before using it.

This also makes it more explicit in
gnutls_psk_allocate_server_credentials2() that `pskcred->binder_algo
== NULL` indicates auto-detection, while avoiding the linear lookup
for a NULL entry.

[1] https://gitlab.com/gnutls/gnutls/-/issues/1729

Fix Suggested by: Daiki Ueno <ueno@gnu.org>
Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>

diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
index d709efa74bc6ac0d5454ffd6ec2f4ba92bbec379..82a16e02c7317b9485f301cc514970143662681a 100644 (file)
--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
@@ -886,9 +886,9 @@ retry_binder:
                        gnutls_psk_key_flags flags;
                        uint8_t ipsk[MAX_HASH_SIZE];
 
-                       prf = pskcred->binder_algo;
-                       if (prf->id == GNUTLS_MAC_UNKNOWN)
-                               prf = _gnutls_mac_to_entry(mac);
+                       prf = pskcred->binder_algo == NULL ?
+                                     _gnutls_mac_to_entry(mac) :
+                                     pskcred->binder_algo;
 
                        /* this fails only on configuration errors; as such we always
                         * return its error code in that case */
@@ -983,7 +983,7 @@ retry_binder:
                 * even for SHA384 PSKs, so we need to retry with SHA256
                 * to calculate the correct binder value for those.
                 */
-               if (prf->id == GNUTLS_MAC_UNKNOWN && mac == GNUTLS_MAC_SHA384) {
+               if (pskcred->binder_algo == NULL && mac == GNUTLS_MAC_SHA384) {
                        mac = GNUTLS_MAC_SHA256;
                        goto retry_binder;
                }

diff --git a/lib/psk.c b/lib/psk.c
index 06cf5b03d1edea69a195de3d1ee52b9f24fea5fd..f851b3d44ae4e9d00dea296ca8c03cd7b939b892 100644 (file)
--- a/lib/psk.c
+++ b/lib/psk.c
@@ -256,8 +256,12 @@ int gnutls_psk_allocate_server_credentials2(gnutls_psk_server_credentials_t *sc,
 
        if (*sc == NULL)
                return GNUTLS_E_MEMORY_ERROR;
-
-       (*sc)->binder_algo = _gnutls_mac_to_entry(mac);
+       /*
+        * For GNUTLS_MAC_UNKNOWN, setting binder_algo to NULL allows
+        * for auto-detction.
+        */
+       (*sc)->binder_algo =
+               (mac == GNUTLS_MAC_UNKNOWN ? NULL : _gnutls_mac_to_entry(mac));
        return 0;
 }