From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 2 Oct 2024 19:53:52 +0000 (+0200) Subject: Fix potential memory leak in PKCS7_signatureVerify() X-Git-Tag: openssl-3.5.0-alpha1~1036 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8b7a6eae9383fced785b9f4e2f24da0dc0a082d;p=thirdparty%2Fopenssl.git Fix potential memory leak in PKCS7_signatureVerify() Fixes #25594 The code jumps to an error block when EVP_VerifyUpdate fails. This error block does not free abuf. In the success path the abuf memory is freed. Move the free operation to the error block. CLA: trivial Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25596) --- diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 56a37a8e4da..751caf684bb 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1018,6 +1018,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, STACK_OF(X509_ATTRIBUTE) *sk; BIO *btmp; EVP_PKEY *pkey; + unsigned char *abuf = NULL; const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); @@ -1067,7 +1068,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, sk = si->auth_attr; if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { - unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; + unsigned char md_dat[EVP_MAX_MD_SIZE]; unsigned int md_len; int alen; ASN1_OCTET_STRING *message_digest; @@ -1109,8 +1110,6 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, } if (!EVP_VerifyUpdate(mdc_tmp, abuf, alen)) goto err; - - OPENSSL_free(abuf); } os = si->enc_digest; @@ -1128,6 +1127,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, } ret = 1; err: + OPENSSL_free(abuf); EVP_MD_CTX_free(mdc_tmp); EVP_MD_free(fetched_md); return ret;