Commit 70d1df0d authored by David Goulet's avatar David Goulet Committed by Ian Goldberg

Fix: set to NULL the sendsmp pointer when handling SMP

If err = otrl_proto_create_data(&mp, ...) returns an early error, then
mp may not have yet been set to NULL.  If the calling code *both*
(a) had not set mp to NULL to begin with, *and*
(b) calls free(mp) _outside_ of the test for if (!err),
then free(mp) will be freeing an uninitialized pointer.

So ensure every call to otrl_proto_create_data either initializes its mp
to NULL, or only frees mp if the call succeeds, or both.  There were two
places where neither was happening.  Other places, one or the other was
already happening.

Also, for extra precaution, set the message pointer in
otrl_proto_create_data() to NULL at the beginning.

Thanks to Nicolas Guigo <nicolas.guigo@nccgroup.trust> and
Ben Hawkes <hawkes@inertiawar.com> for the report.

Fixes #72
Signed-off-by: 's avatarDavid Goulet <dgoulet@ev0ke.net>
Signed-off-by: 's avatarIan Goldberg <iang@cs.uwaterloo.ca>
parent 03e3cad9
......@@ -1505,7 +1505,7 @@ int otrl_message_receiving(OtrlUserState us, const OtrlMessageAppOps *ops,
unsigned char* nextmsg;
int nextmsglen;
OtrlTLV *sendtlv;
char *sendsmp;
char *sendsmp = NULL;
otrl_sm_step3(context->smstate, tlv->data,
tlv->len, &nextmsg, &nextmsglen);
......@@ -1560,7 +1560,7 @@ int otrl_message_receiving(OtrlUserState us, const OtrlMessageAppOps *ops,
unsigned char* nextmsg;
int nextmsglen;
OtrlTLV *sendtlv;
char *sendsmp;
char *sendsmp = NULL;
err = otrl_sm_step4(context->smstate, tlv->data,
tlv->len, &nextmsg, &nextmsglen);
/* Set trust level based on result */
......
......@@ -496,6 +496,8 @@ gcry_error_t otrl_proto_create_data(char **encmessagep, ConnContext *context,
char *msgdup;
int version = context->protocol_version;
*encmessagep = NULL;
/* Make sure we're actually supposed to be able to encrypt */
if (context->msgstate != OTRL_MSGSTATE_ENCRYPTED ||
context->context_priv->their_keyid == 0) {
......@@ -510,8 +512,6 @@ gcry_error_t otrl_proto_create_data(char **encmessagep, ConnContext *context,
}
strcpy(msgdup, msg);
*encmessagep = NULL;
/* Header, msg flags, send keyid, recv keyid, counter, msg len, msg
* len of revealed mac keys, revealed mac keys, MAC */
buflen = OTRL_HEADER_LEN + (version == 3 ? 8 : 0)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment