From ab5f4cbdc65cbc55062b36a6c11482c217884fe8 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sat, 23 Apr 2016 17:28:30 +0200 Subject: [PATCH] Fix possible read of freed memory when verifying the signature of a file. --- src/tincctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tincctl.c b/src/tincctl.c index f41e0307..e42ec2cc 100644 --- a/src/tincctl.c +++ b/src/tincctl.c @@ -2517,6 +2517,7 @@ static int cmd_verify(int argc, char *argv[]) { } *newline++ = '\0'; + size_t skip = newline - data; char signer[MAX_STRING_SIZE] = ""; char sig[MAX_STRING_SIZE] = ""; @@ -2543,6 +2544,8 @@ static int cmd_verify(int argc, char *argv[]) { memcpy(data + len, trailer, trailer_len); free(trailer); + newline = data + skip; + char fname[PATH_MAX]; snprintf(fname, sizeof fname, "%s" SLASH "hosts" SLASH "%s", confbase, node); FILE *fp = fopen(fname, "r"); -- 2.20.1