git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

schannel: fix UAF in client cert store thumbprint handling

Browse Source 
Follow-up to 10bb489b22

Found by Codex Security
Closes #20801
This commit is contained in:
Daniel Stenberg 2026-03-03 18:38:19 +01:00
parent d9c2c64337
commit 7577ed7e86
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/vtls/schannel.c
View File

@ -371,6 +371,7 @@ static CURLcode get_client_cert(struct Curl_easy *data,
DWORD cert_store_name = 0;
TCHAR *cert_store_path = NULL;
TCHAR *cert_thumbprint_str = NULL;
TCHAR cert_thumbprint_buf[CERT_THUMBPRINT_STR_LEN + 1];
CRYPT_HASH_BLOB cert_thumbprint;
BYTE cert_thumbprint_data[CERT_THUMBPRINT_DATA_LEN];
HCERTSTORE cert_store = NULL;
@ -392,6 +393,15 @@ static CURLcode get_client_cert(struct Curl_easy *data,
result = get_cert_location(cert_path, &cert_store_name,
&cert_store_path, &cert_thumbprint_str);
/* 'cert_thumbprint_str' points in to the allocated 'cert_path', copy
the data. The string is verified to be CERT_THUMBPRINT_STR_LEN bytes
long within the get_cert_location() function. */
if(!result && cert_thumbprint_str) {
memcpy(cert_thumbprint_buf, cert_thumbprint_str,
sizeof(cert_thumbprint_buf));
cert_thumbprint_str = cert_thumbprint_buf;
}
curlx_free(cert_path);
if(result && (data->set.ssl.primary.clientcert[0] != '\0'))
fInCert = curlx_fopen(data->set.ssl.primary.clientcert, "rb");