Browse code
tls-crypt: don't leak memory for incorrect tls-crypt messages
If tls_crypt_unwrap() failed, we would jump to cleanup and forget to free
the buffer. Instead, allocate the buffer through gc, which is free'd in
the cleanup section.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170816170450.10415-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15282.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger authored on 2017/08/17 02:04:50Showing 1 changed files
| ... | ... |
@@ -1534,7 +1534,7 @@ read_control_auth(struct buffer *buf, |
| 1534 | 1534 |
} |
| 1535 | 1535 |
else if (ctx->mode == TLS_WRAP_CRYPT) |
| 1536 | 1536 |
{
|
| 1537 |
- struct buffer tmp = alloc_buf(buf_forward_capacity_total(buf)); |
|
| 1537 |
+ struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc); |
|
| 1538 | 1538 |
if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt)) |
| 1539 | 1539 |
{
|
| 1540 | 1540 |
msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s", |
| ... | ... |
@@ -1543,7 +1543,7 @@ read_control_auth(struct buffer *buf, |
| 1543 | 1543 |
} |
| 1544 | 1544 |
ASSERT(buf_init(buf, buf->offset)); |
| 1545 | 1545 |
ASSERT(buf_copy(buf, &tmp)); |
| 1546 |
- free_buf(&tmp); |
|
| 1546 |
+ buf_clear(&tmp); |
|
| 1547 | 1547 |
} |
| 1548 | 1548 |
|
| 1549 | 1549 |
if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH) |