From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 15 Nov 2017 09:31:00 +0000 (+0100)
Subject: gnutls_x509_ext_import_proxy: corrected memory leak
X-Git-Tag: gnutls_3_6_2~93
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a39dde8ce5247c6bdbed91ebea254c07be0dc925;p=thirdparty%2Fgnutls.git

gnutls_x509_ext_import_proxy: corrected memory leak

Also added reproducer for the memory leak found.

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3159

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/fuzz/gnutls_x509_parser_fuzzer.repro/leak-45ceff5162bae741d1048cede0d5dfe6b677761d b/fuzz/gnutls_x509_parser_fuzzer.repro/leak-45ceff5162bae741d1048cede0d5dfe6b677761d
new file mode 100644
index 0000000000..ded50c8ab4
Binary files /dev/null and b/fuzz/gnutls_x509_parser_fuzzer.repro/leak-45ceff5162bae741d1048cede0d5dfe6b677761d differ
diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index 99e0a43f30..58c3263d1e 100644
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -1520,9 +1520,9 @@ int gnutls_x509_ext_export_basic_constraints(unsigned int ca, int pathlen,
  *
  * Since: 3.3.0
  **/
-int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen,
-			      char **policyLanguage, char **policy,
-			      size_t * sizeof_policy)
+int gnutls_x509_ext_import_proxy(const gnutls_datum_t *ext, int *pathlen,
+			         char **policyLanguage, char **policy,
+			         size_t *sizeof_policy)
 {
 	ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
 	int result;
@@ -1563,11 +1563,6 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen,
 		goto cleanup;
 	}
 
-	if (policyLanguage) {
-		*policyLanguage = (char *)value1.data;
-		value1.data = NULL;
-	}
-
 	result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value2);
 	if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
 		if (policy)
@@ -1586,6 +1581,11 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen,
 			*sizeof_policy = value2.size;
 	}
 
+	if (policyLanguage) {
+		*policyLanguage = (char *)value1.data;
+		value1.data = NULL;
+	}
+
 	result = 0;
  cleanup:
 	gnutls_free(value1.data);