From: Alberto Leiva Popper Date: Wed, 20 Mar 2019 23:25:31 +0000 (-0600) Subject: Patch two memory leaks and bad rsync X-Git-Tag: v0.0.2~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07d2c037e87077916a83813f0ebaf046e6ef92b4;p=thirdparty%2FFORT-validator.git Patch two memory leaks and bad rsync The 'root' download strategy should not apply to the certificate pointed by the TAL, because we don't trust that URL at that point yet. Fixes #4. --- diff --git a/src/asn1/content_info.c b/src/asn1/content_info.c index 9b1f87b2..8489b869 100644 --- a/src/asn1/content_info.c +++ b/src/asn1/content_info.c @@ -3,6 +3,7 @@ #include #include #include "file.h" +#include "log.h" #include "oid.h" #include "asn1/decode.h" @@ -19,12 +20,11 @@ validate(struct ContentInfo *info) if (error) return error; - if (!ARCS_EQUAL_OIDS(&arcs, oid_sdata)) { - fprintf(stderr, "Incorrect content-type."); - return -EINVAL; - } + if (!ARCS_EQUAL_OIDS(&arcs, oid_sdata)) + error = pr_err("Incorrect content-type."); - return 0; + free_arcs(&arcs); + return error; } static int diff --git a/src/asn1/oid.c b/src/asn1/oid.c index 91cbc334..d592f652 100644 --- a/src/asn1/oid.c +++ b/src/asn1/oid.c @@ -15,6 +15,9 @@ free_arcs(struct oid_arcs *arcs) * Wrapper for OBJECT_IDENTIFIER_get_arcs(). * * Callers must free @result. + * + * TODO (whatever) Most of the time, this function is called to compare @result + * to some oid. Maybe create a wrapper that takes care of all the boilerplate. */ int oid2arcs(OBJECT_IDENTIFIER_t *oid, struct oid_arcs *result) @@ -58,23 +61,6 @@ oid2arcs(OBJECT_IDENTIFIER_t *oid, struct oid_arcs *result) return 0; } -/* Callers must free @result. */ -int -any2arcs(ANY_t *any, struct oid_arcs *result) -{ - OBJECT_IDENTIFIER_t *oid; - int error; - - error = asn1_decode_any(any, &asn_DEF_OBJECT_IDENTIFIER, - (void **) &oid); - if (error) - return error; - - error = oid2arcs(oid, result); - ASN_STRUCT_FREE(asn_DEF_OBJECT_IDENTIFIER, oid); - return error; -} - bool oid_equal(OBJECT_IDENTIFIER_t *a, OBJECT_IDENTIFIER_t *b) { return (a->size == b->size) && (memcmp(a->buf, b->buf, a->size) == 0); diff --git a/src/asn1/oid.h b/src/asn1/oid.h index 8e984968..14d0a1bc 100644 --- a/src/asn1/oid.h +++ b/src/asn1/oid.h @@ -43,7 +43,6 @@ typedef asn_oid_arc_t OID[]; #define OID_SHA256 { 2, 16, 840, 1, 101, 3, 4, 2, 1 } int oid2arcs(OBJECT_IDENTIFIER_t *, struct oid_arcs *); -int any2arcs(ANY_t *, struct oid_arcs *); bool oid_equal(OBJECT_IDENTIFIER_t *, OBJECT_IDENTIFIER_t *); bool arcs_equal(struct oid_arcs const *, struct oid_arcs const *); diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c index a5e917ae..04f41ba9 100644 --- a/src/asn1/signed_data.c +++ b/src/asn1/signed_data.c @@ -162,10 +162,8 @@ validate_message_digest_attribute(CMSAttributeValue_t *value, MessageDigest_t *digest; int error; - if (eci->eContent == NULL) { - pr_err("There's no content being signed."); - return -EINVAL; - } + if (eci->eContent == NULL) + return pr_err("There's no content being signed."); error = asn1_decode_any(value, &asn_DEF_MessageDigest, (void **) &digest); @@ -176,7 +174,7 @@ validate_message_digest_attribute(CMSAttributeValue_t *value, if (error) pr_err("The content's hash does not match the Message-Digest Attribute."); - free(digest); + ASN_STRUCT_FREE(asn_DEF_MessageDigest, digest); return error; } diff --git a/src/main.c b/src/main.c index ea6ba4d9..5d71671b 100644 --- a/src/main.c +++ b/src/main.c @@ -39,7 +39,7 @@ handle_tal_uri(struct tal *tal, struct rpki_uri const *uri) struct validation *state; int error; - error = download_files(uri); + error = download_files(uri, true); if (error) { return pr_warn("TAL URI '%s' could not be RSYNC'd.", uri->global); diff --git a/src/object/certificate.c b/src/object/certificate.c index ad98ae4e..31d0e5c0 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -861,7 +861,7 @@ static int handle_caRepository(struct rpki_uri *uri, void *arg) { pr_debug("caRepository: %s", uri_get_printable(uri)); - return download_files(uri); + return download_files(uri, false); } static int diff --git a/src/rsync/rsync.c b/src/rsync/rsync.c index 515293d6..47e6206f 100644 --- a/src/rsync/rsync.c +++ b/src/rsync/rsync.c @@ -130,8 +130,12 @@ handle_root_strategy(struct rpki_uri const *src, struct rpki_uri *dst) } static int -get_rsync_uri(struct rpki_uri const *requested_uri, struct rpki_uri *rsync_uri) +get_rsync_uri(struct rpki_uri const *requested_uri, bool force_strict, + struct rpki_uri *rsync_uri) { + if (force_strict) + return handle_strict_strategy(requested_uri, rsync_uri); + switch (config_get_sync_strategy()) { case SYNC_ROOT: return handle_root_strategy(requested_uri, rsync_uri); @@ -335,8 +339,19 @@ do_rsync(struct rpki_uri *uri) exit(-EINVAL); } +/** + * @force_srict: + * true: + * SYNC_OFF -> SYNC_OFF + * SYNC_STRICT -> SYNC_STRICT + * SYNC_ROOT -> SYNC_STRICT + * false: + * SYNC_OFF -> SYNC_OFF + * SYNC_STRICT -> SYNC_STRICT + * SYNC_ROOT -> SYNC_ROOT + */ int -download_files(struct rpki_uri const *requested_uri) +download_files(struct rpki_uri const *requested_uri, bool force_strict) { /** * Note: @@ -355,7 +370,7 @@ download_files(struct rpki_uri const *requested_uri) return 0; } - error = get_rsync_uri(requested_uri, &rsync_uri); + error = get_rsync_uri(requested_uri, force_strict, &rsync_uri); if (error) return error; diff --git a/src/rsync/rsync.h b/src/rsync/rsync.h index 50d92437..bb94814a 100644 --- a/src/rsync/rsync.h +++ b/src/rsync/rsync.h @@ -1,9 +1,10 @@ #ifndef SRC_RSYNC_RSYNC_H_ #define SRC_RSYNC_RSYNC_H_ +#include #include "uri.h" -int download_files(struct rpki_uri const *); +int download_files(struct rpki_uri const *, bool); int rsync_init(void); void rsync_destroy(void);