wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4632 from julek-wolfssl/PrintPubKeyEC-leak

Browse Source 
`a` and `key` were not being freed => leak in `PrintPubKeyEC`
This commit is contained in:
Kaleb Himes
2021-12-07 07:20:05 -07:00
committed by GitHub
parent 9f6aa36866 574d171357
commit 96daf2bede
2 changed files with 23 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
wolfcrypt/src/evp.c
View File

@ -8178,13 +8178,14 @@ static int PrintPubKeyEC(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
char line[32] = { 0 };
(void)pctx;
if( mp_init(&a) != 0) {
if (mp_init(&a) != 0) {
return WOLFSSL_FAILURE;
}
if (indent < 0) {
indent = 0;
}
if (indent > EVP_PKEY_PRINT_INDENT_MAX) {
else if (indent > EVP_PKEY_PRINT_INDENT_MAX) {
indent = EVP_PKEY_PRINT_INDENT_MAX;
}
@ -8214,15 +8215,17 @@ static int PrintPubKeyEC(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
}
if (res == WOLFSSL_SUCCESS) {
pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
if (pub == NULL) {
return WOLFSSL_FAILURE;
}
pubSz = ECC_BUFSIZE;
XMEMSET(pub, 0, ECC_BUFSIZE);
if (pub != NULL) {
pubSz = ECC_BUFSIZE;
XMEMSET(pub, 0, ECC_BUFSIZE);
PRIVATE_KEY_UNLOCK();
res = wc_ecc_export_x963(&key, pub, &pubSz) == 0;
PRIVATE_KEY_LOCK();
PRIVATE_KEY_UNLOCK();
res = wc_ecc_export_x963(&key, pub, &pubSz) == 0;
PRIVATE_KEY_LOCK();
}
else {
res = WOLFSSL_FAILURE;
}
}
if (res == WOLFSSL_SUCCESS) {
idx = 0;
@ -8294,6 +8297,9 @@ static int PrintPubKeyEC(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
pub = NULL;
}
wc_ecc_free(&key);
mp_free(&a);
return res;
}
#endif /* HAVE_ECC */

8
wolfcrypt/src/integer.c
View File

@ -183,7 +183,13 @@ void mp_clear (mp_int * a)
return;
/* only do anything if a hasn't been freed previously */
if (a->dp != NULL) {
#ifndef HAVE_WOLF_BIGINT
/* When HAVE_WOLF_BIGINT then mp_free -> wc_bigint_free needs to be called
* because a->raw->buf may be allocated even when a->dp == NULL. This is the
* case for when a zero is loaded into the mp_int. */
if (a->dp != NULL)
#endif
{
/* first zero the digits */
for (i = 0; i < a->used; i++) {
a->dp[i] = 0;