41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From f1fe8d2a7669c4cdcdaaabd8969d358040c142ad Mon Sep 17 00:00:00 2001
|
|
From: Daiki Ueno <ueno@gnu.org>
|
|
Date: Mon, 7 Jul 2025 10:44:12 +0900
|
|
Subject: [PATCH] x509: avoid double free when exporting othernames in SAN
|
|
|
|
Previously, the _gnutls_write_new_othername function, called by
|
|
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
|
|
certificate's SAN extension, freed the caller allocated ASN.1
|
|
structure upon error, resulting in a potential double-free.
|
|
|
|
Reported by OpenAI Security Research Team.
|
|
|
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
---
|
|
lib/x509/extensions.c | 2 --
|
|
1 file changed, 2 deletions(-)
|
|
|
|
diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
|
|
index 6c2da8fd10..e8be12eaf5 100644
|
|
--- a/lib/x509/extensions.c
|
|
+++ b/lib/x509/extensions.c
|
|
@@ -754,7 +754,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
|
|
result = asn1_write_value(ext, name2, oid, 1);
|
|
if (result != ASN1_SUCCESS) {
|
|
gnutls_assert();
|
|
- asn1_delete_structure(&ext);
|
|
return _gnutls_asn2err(result);
|
|
}
|
|
|
|
@@ -763,7 +762,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
|
|
result = asn1_write_value(ext, name2, data, data_size);
|
|
if (result != ASN1_SUCCESS) {
|
|
gnutls_assert();
|
|
- asn1_delete_structure(&ext);
|
|
return _gnutls_asn2err(result);
|
|
}
|
|
|
|
--
|
|
2.50.0
|
|
|