SECURITY: CVE-2019-3836: invalid pointer access upon receiving async handshake messages
Description of problem:
The tlsfuzzer tests in #699 (closed) revealed that one of the probes ('1/4 fragmented keyupdate msg, appdata between') can cause the server crash.
Version of gnutls used:
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
manually compiled on Fedora 29
How reproducible:
Steps to Reproduce:
On the server side, do:
cd tests/suite/tls-fuzzer/tlsfuzzer
../../../../src/gnutls-serv --http --x509keyfile=tests/serverX509Key.pem --x509certfile=tests/serverX509Cert.pem --x509keyfile=tests/serverRSAPSSKey.pem --x509certfile=tests/serverRSAPSSCert.pem --x509keyfile=../../../certs/ecc256.pem --x509certfile=../../../certs/cert-ecc256.pem --debug=6 --priority=NORMAL:+VERS-TLS1.3 --disable-client-cert --port 5556
On the client side:
cd tlsfuzzer
git checkout key-update-handshake
PYTHONPATH=. python scripts/test-tls13-keyupdate.py -p 5556 '1/4 fragmented keyupdate msg, appdata between'
Actual results:
|<3>| ASSERT: buffers.c[get_last_packet]:1171
|<3>| ASSERT: buffers.c[_gnutls_parse_record_buffered_msgs]:1302
|<3>| ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1431
|<3>| ASSERT: handshake-tls13.c[_gnutls13_recv_async_handshake]:612
free(): invalid pointer
zsh: abort (core dumped) ../../../../src/gnutls-serv --http --x509keyfile=tests/serverX509Key.pem
Expected results:
no crash
Additional information:
This was introduced by !694 (merged), in particular this commit: df738136.
I guess the fix would be simple: add missing initialization of a local variable (hsk) in _gnutls13_recv_async_handshake
.
Edited by Daiki Ueno