Skip to content

Commit 930a087

Browse files
millertmillert
committed
connect_relay_tls: Fix NULL deref when relay connect_timeout is 0.
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
1 parent 5846cde commit 930a087

File tree

2 files changed

+10
-2
lines changed

2 files changed

+10
-2
lines changed

logsrvd/logsrvd_relay.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -268,6 +268,7 @@ static bool
268268
connect_relay_tls(struct connection_closure *closure)
269269
{
270270
struct tls_client_closure *tls_client = &closure->relay_closure->tls_client;
271+
const struct timespec *timeout = logsrvd_conf_relay_connect_timeout();
271272
SSL_CTX *ssl_ctx = logsrvd_relay_tls_ctx();
272273
debug_decl(connect_relay_tls, SUDO_DEBUG_UTIL);
273274

@@ -279,7 +280,11 @@ connect_relay_tls(struct connection_closure *closure)
279280
if (tls_client->tls_connect_ev == NULL)
280281
goto bad;
281282
tls_client->peer_name = &closure->relay_closure->relay_name;
282-
tls_client->connect_timeout = *logsrvd_conf_relay_connect_timeout();
283+
if (timeout != NULL) {
284+
tls_client->connect_timeout = *timeout;
285+
} else {
286+
sudo_timespecclear(&tls_client->connect_timeout);
287+
}
283288
tls_client->start_fn = tls_client_start_fn;
284289
if (!tls_ctx_client_setup(ssl_ctx, closure->relay_closure->sock, tls_client))
285290
goto bad;

logsrvd/tls_client.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ tls_connect_cb(int sock, int what, void *v)
101101
{
102102
struct tls_client_closure *tls_client = v;
103103
struct sudo_event_base *evbase = tls_client->evbase;
104-
const struct timespec *timeout = &tls_client->connect_timeout;
104+
const struct timespec *timeout = NULL;
105105
const char *errstr;
106106
int con_stat;
107107
debug_decl(tls_connect_cb, SUDO_DEBUG_UTIL);
@@ -111,6 +111,9 @@ tls_connect_cb(int sock, int what, void *v)
111111
goto bad;
112112
}
113113

114+
if (sudo_timespecisset(&tls_client->connect_timeout))
115+
timeout = &tls_client->connect_timeout;
116+
114117
con_stat = SSL_connect(tls_client->ssl);
115118

116119
if (con_stat == 1) {

0 commit comments

Comments
 (0)