diff options
| author | tb <> | 2020-09-20 03:19:52 +0000 |
|---|---|---|
| committer | tb <> | 2020-09-20 03:19:52 +0000 |
| commit | 71ab2c82f3894c93b4fcf5265967efcf76bf9883 (patch) | |
| tree | a35889fc2181569ba43b065ccd91135008a8d676 /src | |
| parent | 68a66b91bb79ab939073198e9c822a826bd09b96 (diff) | |
| download | openbsd-71ab2c82f3894c93b4fcf5265967efcf76bf9883.tar.gz openbsd-71ab2c82f3894c93b4fcf5265967efcf76bf9883.tar.bz2 openbsd-71ab2c82f3894c93b4fcf5265967efcf76bf9883.zip | |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_constraints.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index ecb9de0d95..5abea52e59 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_constraints.c,v 1.4 2020/09/18 08:28:45 beck Exp $ */ | 1 | /* $OpenBSD: x509_constraints.c,v 1.5 2020/09/20 03:19:52 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -674,7 +674,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names, | |||
| 674 | X509_NAME *subject_name; | 674 | X509_NAME *subject_name; |
| 675 | GENERAL_NAME *name; | 675 | GENERAL_NAME *name; |
| 676 | ssize_t i = 0; | 676 | ssize_t i = 0; |
| 677 | int name_type, add, include_cn = is_leaf, include_email = is_leaf; | 677 | int name_type, include_cn = is_leaf, include_email = is_leaf; |
| 678 | 678 | ||
| 679 | /* first grab the altnames */ | 679 | /* first grab the altnames */ |
| 680 | while ((name = sk_GENERAL_NAME_value(cert->altname, i++)) != NULL) { | 680 | while ((name = sk_GENERAL_NAME_value(cert->altname, i++)) != NULL) { |
| @@ -686,7 +686,6 @@ x509_constraints_extract_names(struct x509_constraints_names *names, | |||
| 686 | goto err; | 686 | goto err; |
| 687 | } | 687 | } |
| 688 | 688 | ||
| 689 | add = 1; | ||
| 690 | name_type = x509_constraints_general_to_bytes(name, &bytes, | 689 | name_type = x509_constraints_general_to_bytes(name, &bytes, |
| 691 | &len); | 690 | &len); |
| 692 | switch(name_type) { | 691 | switch(name_type) { |
| @@ -753,10 +752,11 @@ x509_constraints_extract_names(struct x509_constraints_names *names, | |||
| 753 | break; | 752 | break; |
| 754 | default: | 753 | default: |
| 755 | /* Ignore this name */ | 754 | /* Ignore this name */ |
| 756 | add = 0; | 755 | x509_constraints_name_free(vname); |
| 757 | break; | 756 | vname = NULL; |
| 757 | continue; | ||
| 758 | } | 758 | } |
| 759 | if (add && !x509_constraints_names_add(names, vname)) { | 759 | if (!x509_constraints_names_add(names, vname)) { |
| 760 | *error = X509_V_ERR_OUT_OF_MEM; | 760 | *error = X509_V_ERR_OUT_OF_MEM; |
| 761 | goto err; | 761 | goto err; |
| 762 | } | 762 | } |