libdnssec/key: bad logic leaves key with dangling pointer (!462) · Merge requests · Knot projects / Knot DNS · GitLab

GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our documentation.

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

Ghost User requested to merge dnssec-undefined-memory into master Nov 27, 2015

How to reproduce:

a copy of binary data struct is made at L439
that struct is then resized to accomodate for new key. If successful, new_rdata points to resized memory, key->rdata points to previous location.
creating pubkey at L446 fails and function returns, key->rdata is still invalid
further using key causes use-after-free, freeing double-free freeing key causes double-free and using it use-after-free