Closed sftcd closed 10 months ago
Hey @sftcd,
Thanks for the heads up, I should have been calling free and setting that to NULL regardless of acceptance. I've made PR https://github.com/wolfSSL/wolfssl/pull/6795 to fix this issue. I tested the fix with your experimental version of curl, awesome stuff.
Best Wishes, John Bland
Your fix looks good to me, thanks.
Contact Details
via github is fine for now
Version
cloned master a few days ago
Description
I've got a version of curl that does ECH and can use ECH from my OpenSSL build or WolfSSL's. In the case of WolfSSL I can generate a crash due to a double-free by supplying a corrupted (coupla bits flipped in the public value) ECHConfig to the client.
Reproduction steps
You could reproduce if you were to build my curl fork HOWTO and then run:
./src/curl -vvv --echconfig AEX+DQBBYQAgACD8f/nTUp0hjj6R/yjh3KnNKWK/eG4FFvkfZbTNI84NPwAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= https://crypto.cloudflare.com/cdn-cgi/trace
There's a valgrind output below that shows where the problem lies.
The solution (that works for me) is to avoid the double-free when ECH acceptance checking fails as well as when it works. The commit is pretty simple and fairly obvious when you look at it.
Relevant log output