GitList

Browse code

Fix memory leak in x509_verify_cert_ku()

If keyUsage was only required to be present, but no specific value was
required, we would omit to free the extracted string. This happens as of
2.4.1, if --remote-cert-tls is used. In that case we leak a bit of
memory on each TLS (re)negotiation.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494154878-18403-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14563.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

Steffan Karger authored on 2017/05/07 20:01:18
Showing 2 changed files

Changes.rst

History View file @ 7b94d3b

@@ -318,3 +318,12 @@ Version 2.4.1
                        ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage
                        extension instead.  Make sure your certificates carry these to be able to
                        use ``--remote-cert-tls``.
+                    +
+                    +
                     +Version 2.4.2
                     +=============
+                    +
                     +Bugfixes
                     +--------
                     +- Fix memory leak introduced in 2.4.1: if --remote-cert-tls is used, we leaked
                     +  some memory on each TLS (re)negotiation.

src/openvpn/ssl_verify_openssl.c

History View file @ 7b94d3b

@@ -607,6 +607,7 @@ x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku,
     if (expected_ku[0] == OPENVPN_KU_REQUIRED)
     {
         /* Extension required, value checked by TLS library */
+        ASN1_BIT_STRING_free(ku);
         return SUCCESS;
     }
 

...	...	@@ -607,6 +607,7 @@ x509_verify_cert_ku(X509 x509, const unsigned const expected_ku,
607	607	if (expected_ku[0] == OPENVPN_KU_REQUIRED)
608	608	{
609	609	/* Extension required, value checked by TLS library */
	610	+ ASN1_BIT_STRING_free(ku);
610	611	return SUCCESS;
611	612	}
612	613