Skip to content

Commit

Permalink
crypto: fix memory leak if certificate is revoked
Browse files Browse the repository at this point in the history
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  • Loading branch information
Tom Atkinson authored and MylesBorins committed Mar 29, 2017
1 parent 1ff512c commit 5f644d2
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2769,7 +2769,9 @@ inline bool CertIsStartComOrWoSign(X509_NAME* name) {
startcom_wosign_data = dn.data;
startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data,
dn.len);
if (X509_NAME_cmp(name, startcom_wosign_name) == 0)
int cmp = X509_NAME_cmp(name, startcom_wosign_name);
X509_NAME_free(startcom_wosign_name);
if (cmp == 0)
return true;
}

Expand Down Expand Up @@ -2814,8 +2816,10 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
}

X509* leaf_cert = sk_X509_value(chain, 0);
if (!CheckStartComOrWoSign(root_name, leaf_cert))
if (!CheckStartComOrWoSign(root_name, leaf_cert)) {
sk_X509_pop_free(chain, X509_free);
return CHECK_CERT_REVOKED;
}

// When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV
// ROOT CA, check a hash of its leaf cert if it is in the whitelist.
Expand Down

0 comments on commit 5f644d2

Please sign in to comment.