[tin-dev] [tin] possible NULL-pointer derefference in connection-info ('J')

Urs Janßen urs at tin.org
Wed Jan 17 20:48:17 CET 2024 

This fixes two socket-leaks and a mem-leak with failing -T (TLS),
an alignment issue with SSL-chain listing with LibreSSL and a
possible NULL-pointer derefference in connection-info ('J') if
server does support CAPABILITIES but does not return IMPLEMENTATION.

--- tin-2.6.3/src/nntplib.c	2023-12-24 00:38:39.000000000 +0100
+++ tin-2.6.4/src/nntplib.c	2024-01-17 20:11:26.027976576 +0100
@@ -316,12 +316,16 @@
 		int result;
 
 		result = tintls_open(machine, sock_fd, &nntp_buf.tls_ctx);
-		if (result < 0)
+		if (result < 0) {
+			close(sock_fd);
 			return result;
+		}
 
 		result = tintls_handshake(nntp_buf.tls_ctx);
-		if (result < 0)
+		if (result < 0) {
+			close(sock_fd);
 			return result;
+		}
 	}
 #	endif /* NNTPS_ABLE */
 
@@ -2692,7 +2696,7 @@
 	fprintf(stream, _(txt_conninfo_server), nntp_server);
 	fprintf(stream, _(txt_conninfo_port), nntp_tcp_port);
 	if (nntp_caps.type == CAPABILITIES) {
-		if (*nntp_caps.implementation)
+		if (nntp_caps.implementation)
 			fprintf(stream, _(txt_conninfo_implementation), nntp_caps.implementation);
 		if (nntp_caps.compress) {
 			fprintf(stream, "%s", _(txt_conninfo_compress));
--- tin-2.6.3/src/nntps.c	2023-12-24 00:38:39.000000000 +0100
+++ tin-2.6.4/src/nntps.c	2024-01-11 05:26:34.702091721 +0100
@@ -270,6 +270,7 @@ tintls_open(
 	result = tls_connect_socket(client, fd, servername);
 	if (result == -1) {
 		tls_free(client);
+		tintls_exit();
 		return -ENOMEM;
 	}
 
@@ -822,12 +821,19 @@ tintls_conninfo(
 		X509 *cert;
 		char **cert_info;
 		const ASN1_TIME *asn1;
-		const char *cptr = (const char *) chain;
+		char *wchain, *cptr;
 		int i = 0;
+		size_t cl;
 		struct tm tm;
 
 		fprintf(fp, "%s", _(txt_conninfo_server_cert_info));
 
+		/* string copy of chain */
+		cl = snprintf(NULL, 0, "%.*s", (int) chain_size, chain);
+		wchain = my_malloc(++cl);
+		snprintf(wchain, cl, "%.*s", (int) chain_size, chain);
+		cptr = wchain;
+
 		while ((cptr = strstr(cptr, "-----BEGIN CERTIFICATE-----"))) {
 			chain_size = strlen(cptr);
 			if (chain_size > 0 && BIO_write(io_buf, cptr, chain_size) > 0) {
@@ -857,8 +863,9 @@ tintls_conninfo(
 				}
 			}
 			BIO_reset(io_buf);
-			cptr += 26;
+			cptr += 26; /* "-----BEGIN CERTIFICATE-----" */
 		}
+		free(wchain);
 		BIO_free(io_buf);
 	} else /* Fallback if access to the certificate chain has failed */
 #	else

More information about the tin-dev mailing list