tests/cve-2009-1415.c

   1 /*
   2  * Copyright (C) 2009-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Simon Josefsson
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * GnuTLS is free software; you can redistribute it and/or modify it
   9  * under the terms of the GNU General Public License as published by
  10  * the Free Software Foundation; either version 3 of the License, or
  11  * (at your option) any later version.
  12  *
  13  * GnuTLS is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with GnuTLS; if not, write to the Free Software Foundation,
  20  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
  21  */
  22
  23 #ifdef HAVE_CONFIG_H
  24 #include <config.h>
  25 #endif
  26
  27 /*
  28  * Small code to reproduce the CVE-2009-1415 double-free problem.
  29  *
  30  * Build it using:
  31  *
  32  *  gcc -o cve-2009-1415 cve-2009-1415.c -lgnutls
  33  *
  34  * If your gnutls library is OK then running it will just print 'success!'.
  35  *
  36  * If your gnutls library is buggy, then running it will crash like this:
  37  *
  38  * ** glibc detected *** ./cve-2009-1415: munmap_chunk(): invalid pointer: 0xb7f80a9c ***
  39  * ======= Backtrace: =========
  40  * ...
  41  */
  42
  43 #include <stdio.h>
  44 #include <stdarg.h>
  45 #include <stdlib.h>
  46
  47 #include <gnutls/gnutls.h>
  48 #include <gnutls/x509.h>
  49 #include <gnutls/abstract.h>
  50
  51 static char dsa_cert[] =
  52   "-----BEGIN CERTIFICATE-----\n"
  53   "MIIDbzCCAtqgAwIBAgIERiYdRTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
  54   "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTQxWhcNMDgwNDE3MTMyOTQxWjA3MRsw\n"
  55   "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
  56   "Lm9yZzCCAbQwggEpBgcqhkjOOAQBMIIBHAKBgLmE9VqBvhoNxYpzjwybL5u2DkvD\n"
  57   "dBp/ZK2d8yjFoEe8m1dW8ZfVfjcD6fJM9OOLfzCjXS+7oaI3wuo1jx+xX6aiXwHx\n"
  58   "IzYr5E8vLd2d1TqmOa96UXzSJY6XdM8exXtLdkOBBx8GFLhuWBLhkOI3b9Ib7GjF\n"
  59   "WOLmMOBqXixjeOwHAhSfVoxIZC/+jap6bZbbBF0W7wilcQKBgGIGfuRcdgi3Rhpd\n"
  60   "15fUKiH7HzHJ0vT6Odgn0Zv8J12nCqca/FPBL0PCN8iFfz1Mq12BMvsdXh5UERYg\n"
  61   "xoBa2YybQ/Dda6D0w/KKnDnSHHsP7/ook4/SoSLr3OCKi60oDs/vCYXpNr2LelDV\n"
  62   "e/clDWxgEcTvcJDP1hvru47GPjqXA4GEAAKBgA+Kh1fy0cLcrN9Liw+Luin34QPk\n"
  63   "VfqymAfW/RKxgLz1urRQ1H+gDkPnn8l4EV/l5Awsa2qkNdy9VOVgNpox0YpZbmsc\n"
  64   "ur0uuut8h+/ayN2h66SD5out+vqOW9c3yDI+lsI+9EPafZECD7e8+O+P90EAXpbf\n"
  65   "DwiW3Oqy6QaCr9Ivo4GTMIGQMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPdGVz\n"
  66   "dC5nbnV0bHMub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMH\n"
  67   "gAAwHQYDVR0OBBYEFL/su87Y6HtwVuzz0SuS1tSZClvzMB8GA1UdIwQYMBaAFOk8\n"
  68   "HPutkm7mBqRWLKLhwFMnyPKVMAsGCSqGSIb3DQEBBQOBgQBCsrnfD1xzh8/Eih1f\n"
  69   "x+M0lPoX1Re5L2ElHI6DJpHYOBPwf9glwxnet2+avzgUQDUFwUSxOhodpyeaACXD\n"
  70   "o0gGVpcH8sOBTQ+aTdM37hGkPxoXjtIkR/LgG5nP2H2JRd5TkW8l13JdM4MJFB4W\n"
  71   "QcDzQ8REwidsfh9uKAluk1c/KQ==\n" "-----END CERTIFICATE-----\n";
  72
  73 const gnutls_datum_t dsa_cert_dat = {
  74   (void*)dsa_cert, sizeof (dsa_cert)
  75 };
  76
  77 int
  78 main (void)
  79 {
  80   gnutls_x509_crt_t crt;
  81   gnutls_pubkey_t pubkey;
  82   gnutls_datum_t data = { (void *) "foo", 3 };
  83   gnutls_datum_t sig = { (void *) "bar", 3 };
  84   int ret;
  85
  86   gnutls_global_init ();
  87
  88   ret = gnutls_x509_crt_init (&crt);
  89   if (ret < 0)
  90     return 1;
  91
  92   ret = gnutls_pubkey_init (&pubkey);
  93   if (ret < 0)
  94     return 1;
  95
  96   ret = gnutls_x509_crt_import (crt, &dsa_cert_dat, GNUTLS_X509_FMT_PEM);
  97   if (ret < 0)
  98     return 1;
  99
 100   ret = gnutls_pubkey_import_x509( pubkey, crt, 0);
 101   if (ret < 0)
 102     return 1;
 103
 104   ret = gnutls_pubkey_verify_data (pubkey, 0, &data, &sig);
 105   if (ret < 0 && ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
 106     return 1;
 107
 108   //printf ("success!\n");
 109
 110   gnutls_x509_crt_deinit (crt);
 111   gnutls_pubkey_deinit( pubkey);
 112   gnutls_global_deinit ();
 113
 114   return 0;
 115 }