security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

dirmngr: Fix double free of a hash context in the error case. 

* dirmngr/crlcache.c: Clearly document that this fucntions takes
ownership of MD.
(abort_sig_check): Allow NULL for MD.
(crl_parse_insert): Immediately set MD to NULL.  Remove check for md
before a calling abort_sig_check.
--

GnuPG-bug-id: 3510
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-11-17 10:34:40 +01:00
parent 4f5afaf1fd
commit 2aa106d6a4
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
dirmngr/crlcache.c
View File

@ -1562,7 +1562,7 @@ start_sig_check (ksba_crl_t crl, gcry_md_hd_t *md, int *algo)
should return 0 on a good signature, GPG_ERR_BAD_SIGNATURE if the should return 0 on a good signature, GPG_ERR_BAD_SIGNATURE if the
signature does not verify or any other error code. CRL is the CRL signature does not verify or any other error code. CRL is the CRL
object we are working on, MD the hash context and ISSUER_CERT the object we are working on, MD the hash context and ISSUER_CERT the
certificate of the CRL issuer. This function closes MD. */ certificate of the CRL issuer. This function takes ownership of MD. */
static gpg_error_t static gpg_error_t
finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo, finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
ksba_cert_t issuer_cert) ksba_cert_t issuer_cert)
@ -1646,12 +1646,13 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
/* Call this to match a start_sig_check that can not be completed /* Call this to match a start_sig_check that can not be completed
normally. */ normally. Takes ownership of MD if MD is not NULL. */
static void static void
abort_sig_check (ksba_crl_t crl, gcry_md_hd_t md) abort_sig_check (ksba_crl_t crl, gcry_md_hd_t md)
{ {
(void)crl; (void)crl;
gcry_md_close (md); if (md)
gcry_md_close (md);
} }
@ -1842,13 +1843,13 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
} }
err = finish_sig_check (crl, md, algo, crlissuer_cert); err = finish_sig_check (crl, md, algo, crlissuer_cert);
md = NULL; /* Closed. */
if (err) if (err)
{ {
log_error (_("CRL signature verification failed: %s\n"), log_error (_("CRL signature verification failed: %s\n"),
gpg_strerror (err)); gpg_strerror (err));
goto failure; goto failure;
} }
md = NULL;
err = validate_cert_chain (ctrl, crlissuer_cert, NULL, err = validate_cert_chain (ctrl, crlissuer_cert, NULL,
(VALIDATE_FLAG_TRUST_CONFIG (VALIDATE_FLAG_TRUST_CONFIG
@ -1877,8 +1878,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
failure: failure:
if (md) abort_sig_check (crl, md);
abort_sig_check (crl, md);
ksba_cert_release (crlissuer_cert); ksba_cert_release (crlissuer_cert);
return err; return err;
} }