-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix memory leak in mbedtls_x509_csr_parse #1621
Conversation
CLA has just been submitted through mail |
@catenacyber Thank you for your contribution! As sent in mail, the CLA is being proccessed |
@catenacyber I have just raised on your behalf bug #1623 for tracking purposes |
Could this be written in a shorter way?
|
Needs backporting to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catenacyber Thank you for your contribution.
The changes look good to me. @catenacyber and @sbutcher-arm, I was looking at the surrounding lines of code when reviewing this changes and I think I spotted another issue. Do you think the following sequence could cause a leak? (line numbers on patched version presented in this PR)
- pem context is initialised in lines 281
- the value of ret after line 290 satisfies the following condition
ret != 0 && ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
- Execution reaches the
else
in line 306 - The return statement in line 308 is executed without calling
mbedtls_pem_free( &pem )
I might be missing something though...
Function call in the line 287 could return Refactored code in this message should never leak memory. If necessary, a new PR could be created. Edit. |
@andresag01
There is no allocation, just a memset |
The code proposed by @irwir looks good to me. This pull request was the minimum change to fix the leak. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catenacyber: Agreed that currently there is no leak, but as @irwir mentioned calls to init and free should be paired. Ideally the execution path that I pointed out would also be fixed to conform with that, but at the moment it is not harmful.
The changes that @catenacyber look good to me to fix the memory leak. So I am happy for them to be merged as is. However, there are other issues with the code. I also think this code is slightly more complicated that it needs to be and a simple rewrite of those few lines (along the lines of @irwir proposed) is ideal or at least fixed. @sbutcher-arm I will defer the decision to you regarding whether this is merged as is.
Hi @catenacyber, I'd like to go with @andresag01's suggestion, but I'm conscious that this is your PR. You can either fix it yourself, and resubmit, or if you're having more fun finding the problems than fixing them, @andresag01 can do the re-work. Either way, we will credit you for the work you did here! Please let us know. |
Here you go with one more commit to simplify the code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catenacyber: Thanks for reworking the PR. The changes look good to me.
@sbutcher-arm: Could you please review the PR once again? Please note that a ChangeLog entry and backports to versions 2.1 and 2.7 are also needed.
library/x509_csr.c
Outdated
if( buf[buflen - 1] != '\0' ) | ||
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; | ||
else | ||
if( buf[buflen - 1] == '\0' ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please note that the Mbed TLS coding style is to place the {
on the next line.
Commit to be squashed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catenacyber: Thanks for fixing the coding style.
Description
Fix memory leak in mbedtls_x509_csr_parse
Status
READY
Requires Backporting
Yes
Which branch? I did not check
Migrations
No
Additional comments
Found using oss-fuzz
Todos
Steps to test or reproduce
Allocated memory in previous call to mbedtls_pem_read_buffer does not get freed without this patch