Commit 42a4cd4c authored by Kamil Dudka's avatar Kamil Dudka
Browse files

nss: fix a possible use-after-free in SelectClientCert() 

... causing a SIGSEGV in showit() in case the handle used to initiate
the connection has already been freed.

This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.

Reported-by: Rob Sanders
Bug: https://bugzilla.redhat.com/1436158
parent c89eb6d0

lib/vtls/nss.c

+8 −0
Original line number Diff line number Diff line
@@ -2184,6 +2184,10 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */ 
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];

  ssize_t rc;



  /* The SelectClientCert() hook uses this for infof() and failf() but the

     handle stored in nss_setup_connect() could have already been freed. */

  connssl->data = conn->data;



  rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);

  if(rc < 0) {

    PRInt32 err = PR_GetError();
@@ -2217,6 +2221,10 @@ static ssize_t nss_recv(struct connectdata *conn, /* connection data */ 
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];

  ssize_t nread;



  /* The SelectClientCert() hook uses this for infof() and failf() but the

     handle stored in nss_setup_connect() could have already been freed. */

  connssl->data = conn->data;



  nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,

                  PR_INTERVAL_NO_WAIT);

  if(nread < 0) {