tls13/finished: addressed memory leak in receiving finished packet

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7518

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/fuzz/gnutls_psk_server_fuzzer.repro/e40a8cc4e868b450a442d905d914aee402b57a15 b/fuzz/gnutls_psk_server_fuzzer.repro/e40a8cc4e868b450a442d905d914aee402b57a15
new file mode 100644 (file)
index 0000000..2efe90c
Binary files /dev/null and b/fuzz/gnutls_psk_server_fuzzer.repro/e40a8cc4e868b450a442d905d914aee402b57a15 differ

diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c
index c28d24a19d525f9e13cd9037b0d6e4c670c281ce..bb535fff87d2f6c355a564e4286e766b8c306a60 100644 (file)
--- a/lib/tls13/finished.c
+++ b/lib/tls13/finished.c
@@ -96,8 +96,11 @@ int _gnutls13_recv_finished(gnutls_session_t session)
 
        _gnutls_handshake_log("HSK[%p]: parsing finished\n", session);
 
-       if (buf.length != hash_size)
-               return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+       if (buf.length != hash_size) {
+               gnutls_assert();
+               ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+               goto cleanup;
+       }
 
 
 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
@@ -105,7 +108,8 @@ int _gnutls13_recv_finished(gnutls_session_t session)
 #else
        if (safe_memcmp(verifier, buf.data, buf.length) != 0) {
                gnutls_assert();
-               return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+               ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+               goto cleanup;
        }
 #endif