diff options
author | Anna Henningsen <anna@addaleax.net> | 2018-04-12 21:53:59 +0200 |
---|---|---|
committer | Myles Borins <mylesborins@google.com> | 2018-06-12 20:46:03 -0400 |
commit | 0cb3325f124805c0f8911627a38cfb34be35b675 (patch) | |
tree | 840c23bbff88ec5ad93df63b113e619da0fd178b /src/tls_wrap.cc | |
parent | 06cab45b2c2121af527b7e305f0176114da741d1 (diff) | |
download | android-node-v8-0cb3325f124805c0f8911627a38cfb34be35b675.tar.gz android-node-v8-0cb3325f124805c0f8911627a38cfb34be35b675.tar.bz2 android-node-v8-0cb3325f124805c0f8911627a38cfb34be35b675.zip |
tls: fix SSL write error handling
Fix an use-after-free bug in the TLS implementation.
If we return from `DoWrite()` with an early error, we should
not be storing the `WriteWrap` object and complete it
again at a later point, when it has already been freed
(because of the write error).
This issue was reported by Jordan Zebor at F5 Networks,
who also helped with investigating this bug and coming
up with a reproduction.
This fixes CVE-2018-7162.
Fixes: https://github.com/nodejs-private/security/issues/189
PR-URL: https://github.com/nodejs-private/node-private/pull/127
Reviewed-By: Evan Lucas <evanlucas@me.com>
Diffstat (limited to 'src/tls_wrap.cc')
-rw-r--r-- | src/tls_wrap.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc index 65615e3a11..4c4360358c 100644 --- a/src/tls_wrap.cc +++ b/src/tls_wrap.cc @@ -620,8 +620,10 @@ int TLSWrap::DoWrite(WriteWrap* w, if (i != count) { int err; Local<Value> arg = GetSSLError(written, &err, &error_); - if (!arg.IsEmpty()) + if (!arg.IsEmpty()) { + current_write_ = nullptr; return UV_EPROTO; + } pending_cleartext_input_.insert(pending_cleartext_input_.end(), &bufs[i], |