sm: Avoid memory leaks and double double-free

* sm/certcheck.c (extract_pss_params): Avoid double free * sm/decrypt.c (gpgsm_decrypt): goto leave instead of return * sm/encrypt.c (encrypt_dek): release s_pkey * sm/server.c (cmd_export): free list (do_listkeys): free lists -- Signed-off-by: Jakub Jelen <jjelen@redhat.com> GnuPG-bug-id: 5393
2021-04-12 14:05:17 +02:00 · 2021-04-12 14:05:17 +02:00 · e6132bc9f4
parent 2af7bb2295
commit e6132bc9f4
4 changed files with 26 additions and 7 deletions
--- a/sm/certcheck.c
+++ b/sm/certcheck.c
@ -294,7 +294,6 @@ extract_pss_params (gcry_sexp_t s_sig, int *r_algo, unsigned int *r_saltlen)
  if (*r_saltlen < 20)
    {
      log_error ("length of PSS salt too short\n");
-      gcry_sexp_release (s_sig);
      return gpg_error (GPG_ERR_DIGEST_ALGO);
    }
  if (!*r_algo)
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@ -1148,7 +1148,10 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
          dfparm.mode = mode;
          dfparm.blklen = gcry_cipher_get_algo_blklen (algo);
          if (dfparm.blklen > sizeof (dfparm.helpblock))
-            return gpg_error (GPG_ERR_BUG);
+            {
+              rc = gpg_error (GPG_ERR_BUG);
+              goto leave;
+            }

          rc = ksba_cms_get_content_enc_iv (cms,
                                            dfparm.iv,
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@ -473,6 +473,7 @@ encrypt_dek (const DEK dek, ksba_cert_t cert, int pk_algo,
      rc = encode_session_key (dek, &s_data);
      if (rc)
        {
+          gcry_sexp_release (s_pkey);
          log_error ("encode_session_key failed: %s\n", gpg_strerror (rc));
          return rc;
        }
--- a/sm/server.c
+++ b/sm/server.c
@ -724,8 +724,13 @@ cmd_export (assuan_context_t ctx, char *line)

  if (opt_secret)
    {
-      if (!list || !*list->d)
+      if (!list)
        return set_error (GPG_ERR_NO_DATA, "No key given");
+      if (!*list->d)
+        {
+          free_strlist (list);
+          return set_error (GPG_ERR_NO_DATA, "No key given");
+        }
      if (list->next)
        return set_error (GPG_ERR_TOO_MANY, "Only one key allowed");
  }
@ -1014,17 +1019,27 @@ do_listkeys (assuan_context_t ctx, char *line, int mode)
      int outfd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);

      if ( outfd == -1 )
-        return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);
+        {
+          free_strlist (list);
+          return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);
+        }
      fp = es_fdopen_nc (outfd, "w");
      if (!fp)
-        return set_error (gpg_err_code_from_syserror (), "es_fdopen() failed");
+        {
+          free_strlist (list);
+          return set_error (gpg_err_code_from_syserror (),
+                            "es_fdopen() failed");
+        }
    }
  else
    {
      fp = es_fopencookie (ctx, "w", data_line_cookie_functions);
      if (!fp)
-        return set_error (GPG_ERR_ASS_GENERAL,
-                          "error setting up a data stream");
+        {
+          free_strlist (list);
+          return set_error (GPG_ERR_ASS_GENERAL,
+                            "error setting up a data stream");
+        }
    }

  ctrl->with_colons = 1;
@ -1034,6 +1049,7 @@ do_listkeys (assuan_context_t ctx, char *line, int mode)
  if (ctrl->server_local->list_external)
    listmode |= (1<<7);
  err = gpgsm_list_keys (assuan_get_pointer (ctx), list, fp, listmode);
+
  free_strlist (list);
  es_fclose (fp);
  if (ctrl->server_local->list_to_output)