Re: fix use after free in proxy_parse_uri()

[Theo Buehler]

On Tue, Oct 18, 2022 at 03:25:36PM +0200, Claudio Jeker wrote:
> With rev 1.65 proxy_parse_uri() can assign a pointer to proxyport
> that is part of fullhost and so points to freed memory (once that function
> returns). The fix is to copy the port as well.
> 
> This should be a fix for
> https://github.com/rpki-client/rpki-client-portable/issues/74

ugh, sorry about that.

ok tb

> -- 
> :wq Claudio
> 
> Index: http.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v
> retrieving revision 1.69
> diff -u -p -r1.69 http.c
> --- http.c20 Sep 2022 08:53:27 -  1.69
> +++ http.c18 Oct 2022 13:15:58 -
> @@ -408,7 +408,8 @@ proxy_parse_uri(char *uri)
>  
>   if ((proxy.proxyhost = strdup(host)) == NULL)
>   err(1, NULL);
> - proxy.proxyport = port;
> + if ((proxy.proxyport = strdup(port)) == NULL)
> + err(1, NULL);
>   proxy.proxyauth = cookie;
>  
>   free(fullhost);
> 

fix use after free in proxy_parse_uri()

[Claudio Jeker]

With rev 1.65 proxy_parse_uri() can assign a pointer to proxyport
that is part of fullhost and so points to freed memory (once that function
returns). The fix is to copy the port as well.

This should be a fix for
https://github.com/rpki-client/rpki-client-portable/issues/74
-- 
:wq Claudio

Index: http.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v
retrieving revision 1.69
diff -u -p -r1.69 http.c
--- http.c  20 Sep 2022 08:53:27 -  1.69
+++ http.c  18 Oct 2022 13:15:58 -
@@ -408,7 +408,8 @@ proxy_parse_uri(char *uri)
 
if ((proxy.proxyhost = strdup(host)) == NULL)
err(1, NULL);
-   proxy.proxyport = port;
+   if ((proxy.proxyport = strdup(port)) == NULL)
+   err(1, NULL);
proxy.proxyauth = cookie;
 
free(fullhost);