Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc() so regular free() is safe. Other implementations allow switching to a different allocator where free() could result in a possible heap corruption. Report and initial fix by dropk1ck (gh #92) ok tb@
This commit is contained in:
parent
393ea506ab
commit
bac832a5c2
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ca.c,v 1.88 2022/07/08 19:51:11 tobhe Exp $ */
|
||||
/* $OpenBSD: ca.c,v 1.89 2022/11/07 22:39:52 tobhe Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
|
||||
|
@ -683,7 +683,7 @@ ca_getreq(struct iked *env, struct imsg *imsg)
|
|||
if (subj_name == NULL)
|
||||
return (-1);
|
||||
log_debug("%s: found CA %s", __func__, subj_name);
|
||||
free(subj_name);
|
||||
OPENSSL_free(subj_name);
|
||||
|
||||
chain_len = ca_chain_by_issuer(store, subj, &id,
|
||||
chain, nitems(chain));
|
||||
|
@ -746,7 +746,7 @@ ca_getreq(struct iked *env, struct imsg *imsg)
|
|||
return (-1);
|
||||
log_debug("%s: found local certificate %s", __func__,
|
||||
subj_name);
|
||||
free(subj_name);
|
||||
OPENSSL_free(subj_name);
|
||||
|
||||
if ((buf = ca_x509_serialize(cert)) == NULL)
|
||||
return (-1);
|
||||
|
@ -921,7 +921,7 @@ ca_reload(struct iked *env)
|
|||
if (subj_name == NULL)
|
||||
return (-1);
|
||||
log_debug("%s: %s", __func__, subj_name);
|
||||
free(subj_name);
|
||||
OPENSSL_free(subj_name);
|
||||
|
||||
if (ibuf_add(env->sc_certreq, md, len) != 0) {
|
||||
ibuf_release(env->sc_certreq);
|
||||
|
@ -1195,10 +1195,10 @@ ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size)
|
|||
if (buflen == 0)
|
||||
return (-1);
|
||||
if (!EVP_Digest(buf, buflen, md, size, EVP_sha1(), NULL)) {
|
||||
free(buf);
|
||||
OPENSSL_free(buf);
|
||||
return (-1);
|
||||
}
|
||||
free(buf);
|
||||
OPENSSL_free(buf);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
@ -1225,7 +1225,7 @@ ca_store_info(struct iked *env, const char *msg, X509_STORE *ctx)
|
|||
(name = X509_NAME_oneline(subject, NULL, 0)) == NULL)
|
||||
continue;
|
||||
buflen = asprintf(&buf, "%s: %s\n", msg, name);
|
||||
free(name);
|
||||
OPENSSL_free(name);
|
||||
if (buflen == -1)
|
||||
continue;
|
||||
proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE,
|
||||
|
@ -1478,6 +1478,10 @@ ca_privkey_to_method(struct iked_id *privkey)
|
|||
return (method);
|
||||
}
|
||||
|
||||
/*
|
||||
* Return dynamically allocated buffer containing certificate name.
|
||||
* The resulting buffer must be freed with OpenSSL_free().
|
||||
*/
|
||||
char *
|
||||
ca_asn1_name(uint8_t *asn1, size_t len)
|
||||
{
|
||||
|
@ -1795,7 +1799,7 @@ ca_validate_cert(struct iked *env, struct iked_static_id *id,
|
|||
if (subj_name == NULL)
|
||||
goto err;
|
||||
log_debug("%s: %s %.100s", __func__, subj_name, errstr);
|
||||
free(subj_name);
|
||||
OPENSSL_free(subj_name);
|
||||
}
|
||||
err:
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: crypto.c,v 1.39 2021/12/13 17:35:34 tobhe Exp $ */
|
||||
/* $OpenBSD: crypto.c,v 1.40 2022/11/07 22:39:52 tobhe Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
|
||||
|
@ -1193,11 +1193,11 @@ dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len)
|
|||
if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0)
|
||||
return (-1);
|
||||
if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) {
|
||||
free(freeme);
|
||||
OPENSSL_free(freeme);
|
||||
ca_sslerror(__func__);
|
||||
return (-1);
|
||||
}
|
||||
free(freeme);
|
||||
OPENSSL_free(freeme);
|
||||
}
|
||||
|
||||
return (0);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ikev2.c,v 1.356 2022/11/06 11:11:47 tobhe Exp $ */
|
||||
/* $OpenBSD: ikev2.c,v 1.357 2022/11/07 22:39:52 tobhe Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
|
||||
|
@ -6963,10 +6963,10 @@ ikev2_print_id(struct iked_id *id, char *idstr, size_t idstrlen)
|
|||
if ((str = ca_asn1_name(ptr, len)) == NULL)
|
||||
return (-1);
|
||||
if (strlcpy(idstr, str, idstrlen) >= idstrlen) {
|
||||
free(str);
|
||||
OPENSSL_free(str);
|
||||
return (-1);
|
||||
}
|
||||
free(str);
|
||||
OPENSSL_free(str);
|
||||
break;
|
||||
default:
|
||||
/* XXX test */
|
||||
|
|
Loading…
Reference in New Issue