From f3bad93db256db07b6cb831d4d24f47543f57e4a Mon Sep 17 00:00:00 2001 From: Michael Budde Date: Tue, 22 Jan 2019 19:22:03 +0100 Subject: Ignore null deferred postings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All-null transactions (i.e. a transaction where all postings have a null amount) are discarded during parsing and the `xact` object is free'd. But if the transaction contains a deferred posting this results in a use-after-free vulnerability because a reference to the deferred posting is stored in the account object which is later read when deferred postings are applied after parsing is finished. Ignore null deferred postings to prevent this – they should not have any effect any way. Thanks to Cory Duplantis for reporting this issue and providing an initial analysis. Ref TALOS-2017-0304, CVE-2017-2808 Fixes #1723 --- src/xact.cc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/xact.cc b/src/xact.cc index 5df9ebc5..10a7106a 100644 --- a/src/xact.cc +++ b/src/xact.cc @@ -395,10 +395,12 @@ bool xact_base_t::finalize() some_null = true; } - if (post->has_flags(POST_DEFERRED)) - post->account->add_deferred_post(id(), post); - else + if (post->has_flags(POST_DEFERRED)) { + if (!post->amount.is_null()) + post->account->add_deferred_post(id(), post); + } else { post->account->add_post(post); + } post->xdata().add_flags(POST_EXT_VISITED); post->account->xdata().add_flags(ACCOUNT_EXT_VISITED); -- cgit v1.2.3