diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-01-19 09:08:04 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-01-19 09:22:29 +0100 |
commit | 86e8d831bb3129f85379b32cdd8bbdc15f4d891e (patch) | |
tree | dc8110cd79e06f770c51bc3b08c818e725699bae | |
parent | 2754c292187288da488e4e9bd24150b6320f851d (diff) | |
download | gnutls-86e8d831bb3129f85379b32cdd8bbdc15f4d891e.tar.gz |
x509: eliminated memory leak on gnutls_x509_ext_import_aia
Issue found using oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=385
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/x509_ext.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c index b947b46028..d06a38cc75 100644 --- a/lib/x509/x509_ext.c +++ b/lib/x509/x509_ext.c @@ -2723,18 +2723,24 @@ static int parse_aia(ASN1_TYPE c2, gnutls_x509_aia_t aia) } aia->aia = tmp; - aia->aia[indx].oid.data = (void*)gnutls_strdup(tmpoid); - aia->aia[indx].oid.size = strlen(tmpoid); - snprintf(nptr, sizeof(nptr), "?%u.accessLocation", i); + ret = _gnutls_parse_general_name2(c2, nptr, -1, &aia->aia[indx].san, &aia->aia[indx].san_type, 0); if (ret < 0) break; + /* we do the strdup after parsing to avoid a memory leak */ + aia->aia[indx].oid.data = (void*)gnutls_strdup(tmpoid); + aia->aia[indx].oid.size = strlen(tmpoid); + aia->size++; + if (aia->aia[indx].oid.data == NULL) { + gnutls_assert(); + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + } } if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { @@ -2754,7 +2760,7 @@ static int parse_aia(ASN1_TYPE c2, gnutls_x509_aia_t aia) * extension from the provided DER-encoded data; see RFC 5280 section 4.2.2.1 * for more information on the extension. The * AIA extension holds a sequence of AccessDescription (AD) data. - * + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. * * Since: 3.3.0 |