SECURITY: use-after-free in PSK binder calculation
In client_send_params
in lib/ext/pre_shared_key.c
, there is the following code:
client_hello.data = extdata->data+sizeof(mbuffer_st);
client_hello.size = extdata->length-sizeof(mbuffer_st);
...
ret = _gnutls_buffer_append_prefix(extdata, 16, binders_len); /* (1) */
...
ret = compute_psk_binder(session, prf_res, ... &client_hello, ...); /* (2) */
At (1) realloc
may be called on extdata->data
, and that results in client_hello.data
being no longer valid at (2). The attached patch can be used to expose the invalid read by modifying gnutls_buffer
allocators to always taking a simpler strategy of memory allocation.