BUG/MEDIUM: jwe: fix memory leak in jwt_decrypt_secret with var argument

When the secret argument to jwt_decrypt_secret is a variable
(ARGT_VAR) rather than a literal string, alloc_trash_chunk() is
called to hold the base64-decoded secret but the buffer is never
released. The end: label frees input, decrypted_cek, out, and the
decoded_items array but not secret.

Each request leaks one trash chunk (~tune.bufsize, default 16KB).
At ~65000 requests per GiB this allows slow memory exhaustion DoS
against any config of the form:

    http-request set-var(txn.x) req.hdr(...),jwt_decrypt_secret(txn.key)

This must be backported as far as JWE support exists.

diff --git a/src/jwe.c b/src/jwe.c
index d7497888e7b04f36ed478a216bb2b5f6e30f0bf2..e36b7b0d8ecc9e11d57fe28ee01c49c89d683538 100644 (file)
--- a/src/jwe.c
+++ b/src/jwe.c
@@ -738,6 +738,7 @@ static int sample_conv_jwt_decrypt_secret(const struct arg *args, struct sample
 end:
        clear_jose_fields(&fields);
        free_trash_chunk(input);
+       free_trash_chunk(secret);
        free_trash_chunk(decrypted_cek);
        free_trash_chunk(out);
        clear_decoded_items(decoded_items);