From: Steffan Karger Date: Sun, 7 May 2017 11:01:18 +0000 (+0200) Subject: Fix memory leak in x509_verify_cert_ku() X-Git-Tag: v2.4.2~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7a13af789daecf38fb6a3ca2d6e6cf0ab939a73;p=thirdparty%2Fopenvpn.git Fix memory leak in x509_verify_cert_ku() If keyUsage was only required to be present, but no specific value was required, we would omit to free the extracted string. This happens as of 2.4.1, if --remote-cert-tls is used. In that case we leak a bit of memory on each TLS (re)negotiation. Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <1494154878-18403-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14563.html Signed-off-by: David Sommerseth (cherry picked from commit 7b94d3bbbea46efcea12e1df24da52fe508d0173) --- diff --git a/Changes.rst b/Changes.rst index c1583b396..3dba7e0ef 100644 --- a/Changes.rst +++ b/Changes.rst @@ -318,3 +318,12 @@ Version 2.4.1 ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage extension instead. Make sure your certificates carry these to be able to use ``--remote-cert-tls``. + + +Version 2.4.2 +============= + +Bugfixes +-------- +- Fix memory leak introduced in 2.4.1: if --remote-cert-tls is used, we leaked + some memory on each TLS (re)negotiation. diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index de4b5da4b..4906c7d3d 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -609,6 +609,7 @@ x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, if (expected_ku[0] == OPENVPN_KU_REQUIRED) { /* Extension required, value checked by TLS library */ + ASN1_BIT_STRING_free(ku); return SUCCESS; }