[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] pskc_build_xml() use-after-free
From: |
David Woodhouse |
Subject: |
Re: [OATH-Toolkit-help] pskc_build_xml() use-after-free |
Date: |
Thu, 14 Aug 2014 14:45:47 +0100 |
On Thu, 2014-08-14 at 13:37 +0200, Simon Josefsson wrote:
> Thanks for the bug report!
>
> I'm a little uncertain how well the proposed patch works. What happens
> if you call pskc_build_xml() multiple times?
If you call pskc_build_xml() multiple times, we can throw away the
xmlDoc that's created each time (apart from the latest). Nothing points
*into* those.
It's only the original xmlDoc from pskc_parse_from_memory() that needs
to be kept around, because the individual fields in the pskc_t container
structure (e.g. container->id) will be pointing into it.
So in pskc_build_xml() we free the old container->xmldoc but only if it
*isn't* equal to container->original_xmldoc.
https://bugzilla.redhat.com/show_bug.cgi?id=1129491#c1 is probably the
nicer approach, *changing* the pointers to point into the new xmlDoc
instead of having to keep the original one around. But needs more work.
--
David Woodhouse Open Source Technology Centre
address@hidden Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature