SECURITY: use-after-free in PSK binder calculation
lib/ext/pre_shared_key.c, there is the following code:
client_hello.data = extdata->data+sizeof(mbuffer_st); client_hello.size = extdata->length-sizeof(mbuffer_st); ... ret = _gnutls_buffer_append_prefix(extdata, 16, binders_len); /* (1) */ ... ret = compute_psk_binder(session, prf_res, ... &client_hello, ...); /* (2) */
realloc may be called on
extdata->data, and that results in
client_hello.data being no longer valid at (2). The attached patch can be used to expose the invalid read by modifying
gnutls_buffer allocators to always taking a simpler strategy of memory allocation.