[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 2/2] pki_crypto: plug pki_signature_from_blob leaks

Subject: [PATCH 2/2] pki_crypto: plug pki_signature_from_blob leaks
From: Jon Simons <jon@xxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Tue, 29 Jan 2019 21:07:20 -0500
To: libssh@xxxxxxxxxx
Cc: Jon Simons <jon@xxxxxxxxxxxxx>

In 3341f49a49a07cbce003e487ef24a2042e800f01, some direct assignments
to OpenSSL structures was replaced with usage of getter and setter
macros.  Ensure to `bignum_safe_free` a couple of intermediate values
in error paths for `pki_signature_from_blob` DSS and ECDSA cases.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/pki_crypto.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 40ffedfe..c27e8184 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -1657,6 +1657,7 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
 
             s = ssh_string_new(20);
             if (s == NULL) {
+                bignum_safe_free(pr);
                 ssh_signature_free(sig);
                 return NULL;
             }
@@ -1665,6 +1666,7 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
             ps = ssh_make_string_bn(s);
             ssh_string_free(s);
             if (ps == NULL) {
+                bignum_safe_free(pr);
                 ssh_signature_free(sig);
                 return NULL;
             }
@@ -1673,6 +1675,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
              * object */
             rc = DSA_SIG_set0(sig->dsa_sig, pr, ps);
             if (rc == 0) {
+                bignum_safe_free(ps);
+                bignum_safe_free(pr);
                 ssh_signature_free(sig);
                 return NULL;
             }
@@ -1737,6 +1741,7 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
                 rlen = ssh_buffer_get_len(b);
                 ssh_buffer_free(b);
                 if (s == NULL) {
+                    bignum_safe_free(pr);
                     ssh_signature_free(sig);
                     return NULL;
                 }
@@ -1749,6 +1754,7 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
                 ssh_string_burn(s);
                 ssh_string_free(s);
                 if (ps == NULL) {
+                    bignum_safe_free(pr);
                     ssh_signature_free(sig);
                     return NULL;
                 }
@@ -1757,6 +1763,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
                  * ECDSA signature object */
                 rc = ECDSA_SIG_set0(sig->ecdsa_sig, pr, ps);
                 if (rc == 0) {
+                    bignum_safe_free(ps);
+                    bignum_safe_free(pr);
                     ssh_signature_free(sig);
                     return NULL;
                 }
-- 
2.19.1.593.gc670b1f

References:
[PATCH 0/2] pki: fix one segfault and some memory leaks	Jon Simons <jon@xxxxxxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org