CVE-2021-20231 GnuTLS — Use-after-free via realloc-aliasing in TLS 1.3 client_hello extensions (key_share + pre_shared_key)

GnuTLS 3.7.0 contains a heap use-after-free in two TLS 1.3 client extension serializers used during the ECDHE handshake: lib/ext/key_share.c:key_share_send_params and lib/ext/pre_shared_key.c:client_send_params. Both functions cache a raw pointer into the dynamically-grown extdata (gnutls_buffer_st) buffer and then perform additional appends on the same buffer that may realloc its backing storage, freeing the chunk the cached pointer references. Subsequent reads/writes through the cached alias are use-after-free. In key_share_send_params (line 683): lengthp = &extdata->data[extdata->length]; is set, then _gnutls_buffer_append_prefix and one or more client_gen_key_share calls grow extdata, possibly realloc'ing it; line 739 then writes a 16-bit length through the dangling lengthp. In client_send_params (lines 430-431): client_hello.data = extdata->data + sizeof(mbuffer_st); is captured before _gnutls_buffer_append_prefix(extdata, 16, binders_len) at line 435, after which compute_psk_binder (lines 442 / 476) reads through client_hello->data. A malicious peer (or crafted client config) that pushes the buffer past a realloc boundary triggers heap corruption / potential RCE.