pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin

Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
oldpin == NULL for a token that lacks a protected authentication path
led to a use-after-free.

Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team
Fixes: #1766
Fixes: #1809
Fixes: CVE-2026-42014
Fixes: GNUTLS-SA-2026-04-29-9
CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 64b85a2dfc31f86c3e36ee5cc25e09ab6cbcbf34..1dff578f2d60c7554c502cffcb4ff202779d231b 100644 (file)
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -1266,10 +1266,9 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
                ses_flags = SESSION_WRITE | SESSION_LOGIN;
 
        ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags);
-       p11_kit_uri_free(info);
-
        if (ret < 0) {
                gnutls_assert();
+               p11_kit_uri_free(info);
                return ret;
        }
 
@@ -1290,9 +1289,11 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
                oldpin_size = L(oldpin);
 
                if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
-                       if (newpin == NULL)
-                               return gnutls_assert_val(
+                       if (newpin == NULL) {
+                               ret = gnutls_assert_val(
                                        GNUTLS_E_INVALID_REQUEST);
+                               goto finish;
+                       }
 
                        if (oldpin == NULL) {
                                struct pin_info_st pin_info;
@@ -1324,6 +1325,7 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
        ret = 0;
 
 finish:
+       p11_kit_uri_free(info);
        pkcs11_close_session(&sinfo);
        return ret;
 }