diff --git a/gnupg-2.2.21-coverity.patch b/gnupg-2.2.21-coverity.patch index 7de8a3c..edd5e67 100644 --- a/gnupg-2.2.21-coverity.patch +++ b/gnupg-2.2.21-coverity.patch @@ -1,6 +1,6 @@ diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-help.c ---- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100 -+++ gnupg-2.2.21/common/server-help.c 2020-07-20 17:09:57.416148768 +0200 +--- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100 ++++ gnupg-2.2.21/common/server-help.c 2020-07-20 17:09:57.416148768 +0200 @@ -156,7 +156,7 @@ get_option_value (char *line, const char *pend = 0; *r_value = xtrystrdup (p); @@ -10,82 +10,969 @@ diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-h return my_error_from_syserror (); return 0; } -diff -up gnupg-2.2.21/dirmngr/domaininfo.c.coverity gnupg-2.2.21/dirmngr/domaininfo.c ---- gnupg-2.2.21/dirmngr/domaininfo.c.coverity 2019-07-09 11:08:45.000000000 +0200 -+++ gnupg-2.2.21/dirmngr/domaininfo.c 2020-07-20 17:09:57.418148784 +0200 -@@ -193,6 +193,7 @@ insert_or_update (const char *domain, - log_error ("domaininfo: error allocating helper array: %s\n", - gpg_strerror (gpg_err_code_from_syserror ())); - drop_extra = bucket; -+ xfree (di_new); - goto leave; - } - narray = 0; -@@ -258,6 +259,8 @@ insert_or_update (const char *domain, - * sensible strategy. */ - drop_extra = domainbuckets[hash]; - domainbuckets[hash] = keep; -+ -+ xfree (array); - } + + +From 912e77f07d8a42d7ad001eb3df76f6932ccfa857 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 7 Apr 2021 17:37:51 +0200 +Subject: [PATCH GnuPG 01/19] agent: Avoid memory leaks + +* agent/command.c (cmd_genkey): use goto leave instead of return +* agent/cvt-openpgp.c (convert_from_openpgp_main): use goto leave + instead of return +* agent/genkey.c (agent_ask_new_passphrase): fix typo to free correct + pointer + (agent_genkey): release memory +* agent/gpg-agent.c (check_own_socket): free sockname +* agent/protect-tool.c (read_key): free buf + (agent_askpin): free passphrase +* agent/protect.c (merge_lists): free newlist + +-- + +Signed-off-by: Jakub Jelen +--- + agent/command.c | 2 +- + agent/cvt-openpgp.c | 5 ++++- + agent/genkey.c | 7 +++++-- + agent/gpg-agent.c | 10 ++++++++-- + agent/protect-tool.c | 6 +++++- + agent/protect.c | 5 ++++- + 6 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/agent/command.c b/agent/command.c +index 93cd281e7..b9a1ed038 100644 +--- a/agent/command.c ++++ b/agent/command.c +@@ -1021,7 +1021,7 @@ cmd_genkey (assuan_context_t ctx, char *line) + if (!rc) + rc = assuan_inquire (ctx, "KEYPARAM", &value, &valuelen, MAXLEN_KEYPARAM); + if (rc) +- return rc; ++ goto leave; - /* Insert */ -diff -up gnupg-2.2.21/dirmngr/http.c.coverity gnupg-2.2.21/dirmngr/http.c ---- gnupg-2.2.21/dirmngr/http.c.coverity 2019-11-18 18:44:33.000000000 +0100 -+++ gnupg-2.2.21/dirmngr/http.c 2020-07-20 17:09:57.419148793 +0200 -@@ -3656,7 +3656,6 @@ http_prepare_redirect (http_redir_info_t - if (!newurl) - { - err = gpg_error_from_syserror (); -- http_release_parsed_uri (locuri); - return err; - } - } -@@ -3675,7 +3674,6 @@ http_prepare_redirect (http_redir_info_t - if (!newurl) - { - err = gpg_error_from_syserror (); -- http_release_parsed_uri (locuri); - return err; - } - } -diff -up gnupg-2.2.21/dirmngr/ks-engine-hkp.c.coverity gnupg-2.2.21/dirmngr/ks-engine-hkp.c ---- gnupg-2.2.21/dirmngr/ks-engine-hkp.c.coverity 2019-11-18 18:44:33.000000000 +0100 -+++ gnupg-2.2.21/dirmngr/ks-engine-hkp.c 2020-07-20 17:09:57.419148793 +0200 -@@ -1426,7 +1426,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t - int reselect; - unsigned int httpflags; - char *httphost = NULL; -- unsigned int http_status; -+ unsigned int http_status = 0; - unsigned int tries = SEND_REQUEST_RETRIES; - unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES; + init_membuf (&outbuf, 512); -diff -up gnupg-2.2.21/g10/import.c.coverity gnupg-2.2.21/g10/import.c ---- gnupg-2.2.21/g10/import.c.coverity 2020-07-20 17:09:57.416148768 +0200 -+++ gnupg-2.2.21/g10/import.c 2020-07-20 17:09:57.419148793 +0200 -@@ -1888,7 +1888,7 @@ import_one_real (ctrl_t ctrl, +diff --git a/agent/cvt-openpgp.c b/agent/cvt-openpgp.c +index 3da553f95..53c88154b 100644 +--- a/agent/cvt-openpgp.c ++++ b/agent/cvt-openpgp.c +@@ -964,7 +964,10 @@ convert_from_openpgp_main (ctrl_t ctrl, gcry_sexp_t s_pgp, int dontcare_exist, - if (opt.interactive && !silent) + pi = xtrycalloc_secure (1, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1); + if (!pi) +- return gpg_error_from_syserror (); ++ { ++ err = gpg_error_from_syserror (); ++ goto leave; ++ } + pi->max_length = MAX_PASSPHRASE_LEN + 1; + pi->min_digits = 0; /* We want a real passphrase. */ + pi->max_digits = 16; +diff --git a/agent/genkey.c b/agent/genkey.c +index 9b47f0fac..c7cfc6910 100644 +--- a/agent/genkey.c ++++ b/agent/genkey.c +@@ -363,7 +363,7 @@ agent_ask_new_passphrase (ctrl_t ctrl, const char *prompt, + if (!pi2) { -- if (is_status_enabled()) -+ if (uidnode && is_status_enabled()) - print_import_check (pk, uidnode->pkt->pkt.user_id); - merge_keys_and_selfsig (ctrl, keyblock); - tty_printf ("\n"); -diff -up gnupg-2.2.21/g10/keygen.c.coverity gnupg-2.2.21/g10/keygen.c ---- gnupg-2.2.21/g10/keygen.c.coverity 2020-07-20 17:09:57.401148640 +0200 -+++ gnupg-2.2.21/g10/keygen.c 2020-07-20 17:09:57.420148801 +0200 -@@ -3075,7 +3075,7 @@ parse_key_parameter_part (ctrl_t ctrl, - char *endp; - const char *curve = NULL; - int ecdh_or_ecdsa = 0; -- unsigned int size; -+ unsigned int size = 0; - int keyuse; - int keyversion = 4; - int i; -@@ -5719,12 +5719,20 @@ gen_card_key (int keyno, int algo, int i + err = gpg_error_from_syserror (); +- xfree (pi2); ++ xfree (pi); + return err; + } + pi->max_length = MAX_PASSPHRASE_LEN + 1; +@@ -465,7 +465,10 @@ agent_genkey (ctrl_t ctrl, const char *cache_nonce, time_t timestamp, + "protect your new key"), + &passphrase_buffer); + if (rc) +- return rc; ++ { ++ gcry_sexp_release (s_keyparam); ++ return rc; ++ } + passphrase = passphrase_buffer; + } + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 1285db995..8f504191b 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -3214,11 +3214,17 @@ check_own_socket (void) + + sockname = make_filename_try (gnupg_socketdir (), GPG_AGENT_SOCK_NAME, NULL); + if (!sockname) +- return; /* Out of memory. */ ++ { ++ xfree (sockname); ++ return; /* Out of memory. */ ++ } + + err = npth_attr_init (&tattr); + if (err) +- return; ++ { ++ xfree (sockname); ++ return; ++ } + npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED); + err = npth_create (&thread, &tattr, check_own_socket_thread, sockname); + if (err) +diff --git a/agent/protect-tool.c b/agent/protect-tool.c +index 1fcbd119f..bb17033a8 100644 +--- a/agent/protect-tool.c ++++ b/agent/protect-tool.c +@@ -319,6 +319,7 @@ read_key (const char *fname) + if (buflen >= 4 && !memcmp (buf, "Key:", 4)) + { + log_error ("Extended key format is not supported by this tool\n"); ++ xfree (buf); + return NULL; + } + key = make_canonical (fname, buf, buflen); +@@ -793,7 +794,10 @@ agent_askpin (ctrl_t ctrl, + passphrase = get_passphrase (0); + size = strlen (passphrase); + if (size >= pininfo->max_length) +- return gpg_error (GPG_ERR_TOO_LARGE); ++ { ++ xfree (passphrase); ++ return gpg_error (GPG_ERR_TOO_LARGE); ++ } + + memcpy (&pininfo->pin, passphrase, size); + xfree (passphrase); +diff --git a/agent/protect.c b/agent/protect.c +index 76ead444b..50b10eb26 100644 +--- a/agent/protect.c ++++ b/agent/protect.c +@@ -949,7 +949,10 @@ merge_lists (const unsigned char *protectedkey, + /* Copy the cleartext. */ + s = cleartext; + if (*s != '(' && s[1] != '(') +- return gpg_error (GPG_ERR_BUG); /*we already checked this */ ++ { ++ xfree (newlist); ++ return gpg_error (GPG_ERR_BUG); /*we already checked this */ ++ } + s += 2; + startpos = s; + while ( *s == '(' ) +-- +2.30.2 + + +From 93dc0474ea35c0f8f93e0c5eee14cf0157b0d896 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 7 Apr 2021 18:54:02 +0200 +Subject: [PATCH GnuPG 02/19] dirmgr: clean up memory on error code paths + +* dirmgr/crlcache.c (finish_sig_check): goto leave instead of return +* dirmgr/http.c (send_request): free authstr and proxy_authstr +* dirmgr/ldap.c (start_cert_fetch_ldap): free proxy +* dirmgr/ocsp.c (check_signature): release s_hash + +-- + +Signed-off-by: Jakub Jelen +--- + dirmngr/crlcache.c | 9 ++++++--- + dirmngr/http.c | 6 +++++- + dirmngr/ldap.c | 6 ++++-- + dirmngr/ocsp.c | 1 + + 4 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c +index 9d18b721f..d508e173f 100644 +--- a/dirmngr/crlcache.c ++++ b/dirmngr/crlcache.c +@@ -1725,7 +1725,8 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo, + { + log_error ("hash algo mismatch: %d announced but %d used\n", + algo, hashalgo); +- return gpg_error (GPG_ERR_INV_CRL); ++ err = gpg_error (GPG_ERR_INV_CRL); ++ goto leave; + } + /* Add some restrictions; see ../sm/certcheck.c for details. */ + switch (algo) +@@ -1741,14 +1742,16 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo, + default: + log_error ("PSS hash algorithm '%s' rejected\n", + gcry_md_algo_name (algo)); +- return gpg_error (GPG_ERR_DIGEST_ALGO); ++ err = gpg_error (GPG_ERR_DIGEST_ALGO); ++ goto leave; + } + + if (gcry_md_get_algo_dlen (algo) != saltlen) + { + log_error ("PSS hash algorithm '%s' rejected due to salt length %u\n", + gcry_md_algo_name (algo), saltlen); +- return gpg_error (GPG_ERR_DIGEST_ALGO); ++ err = gpg_error (GPG_ERR_DIGEST_ALGO); ++ goto leave; + } + } + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index f7f65303b..74ce5f465 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2208,7 +2208,11 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth, + + p = build_rel_path (hd->uri); + if (!p) +- return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); ++ { ++ xfree (authstr); ++ xfree (proxy_authstr); ++ return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); ++ } + + if (http_proxy && *http_proxy) + { +diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c +index ffe54bade..96abc89d0 100644 +--- a/dirmngr/ldap.c ++++ b/dirmngr/ldap.c +@@ -563,8 +563,10 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context, + use_ldaps = server->use_ldaps; + } + else /* Use a default server. */ +- return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +- ++ { ++ xfree (proxy); ++ return gpg_error (GPG_ERR_NOT_IMPLEMENTED); ++ } + + if (!base) + base = ""; +diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c +index 6ed180955..6864f9854 100644 +--- a/dirmngr/ocsp.c ++++ b/dirmngr/ocsp.c +@@ -534,6 +534,7 @@ check_signature (ctrl_t ctrl, + err = ksba_ocsp_get_responder_id (ocsp, &name, &keyid); + if (err) + { ++ gcry_sexp_release (s_hash); + log_error (_("error getting responder ID: %s\n"), + gcry_strerror (err)); + return err; +-- +2.30.2 + + +From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 9 Apr 2021 16:13:07 +0200 +Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks + +* g10/card-util.c (change_pin): free answer on errors + (ask_card_keyattr): free answer on error +* g10/cpr.c (do_get_from_fd): free string +* g10/gpg.c (check_permissions): free dir on weird error +* g10/import.c (append_new_uid): release knode +* g10/keyedit.c (menu_set_keyserver_url): free answer + (menu_set_keyserver_url): free user +* g10/keygen.c (print_status_key_not_created): move allocation after + sanity check + (ask_expire_interval): free answer + (card_store_key_with_backup): goto leave instaed of return +* g10/keyserver.c (parse_keyserver_uri): goto fail instead of return +* g10/revoke.c (gen_desig_revoke): release kdbhd + (gen_desig_revoke): free answer +* g10/tofu.c (ask_about_binding): free sqerr and response +* g10/trustdb.c (ask_ownertrust): free pk + +-- + +Signed-off-by: Jakub Jelen +--- + g10/card-util.c | 14 +++++++++++--- + g10/cpr.c | 6 +++++- + g10/gpg.c | 1 + + g10/import.c | 5 ++++- + g10/keyedit.c | 8 +++++++- + g10/keygen.c | 15 +++++++++++---- + g10/keyserver.c | 2 +- + g10/revoke.c | 6 +++++- + g10/tofu.c | 4 ++++ + g10/trustdb.c | 1 + + 10 files changed, 50 insertions(+), 12 deletions(-) + +diff --git a/g10/card-util.c b/g10/card-util.c +index 36f096f06..c7df8380d 100644 +--- a/g10/card-util.c ++++ b/g10/card-util.c +@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin) + else + for (;;) + { +- char *answer; ++ char *answer = NULL; + + tty_printf ("\n"); + tty_printf ("1 - change PIN\n" +@@ -140,7 +140,10 @@ change_pin (int unblock_v2, int allow_admin) + answer = cpr_get("cardutil.change_pin.menu",_("Your selection? ")); + cpr_kill_prompt(); + if (strlen (answer) != 1) +- continue; ++ { ++ xfree (answer); ++ continue; ++ } + + if (*answer == '1') + { +@@ -185,8 +188,10 @@ change_pin (int unblock_v2, int allow_admin) + } + else if (*answer == 'q' || *answer == 'Q') + { ++ xfree (answer); + break; + } ++ xfree (answer); + } + + agent_release_card_info (&info); +@@ -1450,7 +1455,10 @@ ask_card_keyattr (int keyno, const struct key_attr *current) + algo = *answer? atoi (answer) : 0; + + if (!*answer || algo == 1 || algo == 2) +- break; ++ { ++ xfree (answer); ++ break; ++ } + else + tty_printf (_("Invalid selection.\n")); + } +diff --git a/g10/cpr.c b/g10/cpr.c +index 5a39913c5..002656b82 100644 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -527,7 +527,11 @@ do_get_from_fd ( const char *keyword, int hidden, int getbool ) + write_status (STATUS_GOT_IT); + + if (getbool) /* Fixme: is this correct??? */ +- return (string[0] == 'Y' || string[0] == 'y') ? "" : NULL; ++ { ++ char *rv = (string[0] == 'Y' || string[0] == 'y') ? "" : NULL; ++ xfree (string); ++ return rv; ++ } + + return string; + } +diff --git a/g10/gpg.c b/g10/gpg.c +index f5623be76..186845cea 100644 +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -1601,6 +1601,7 @@ check_permissions (const char *path, int item) + if (gnupg_stat (dir,&dirbuf) || !S_ISDIR (dirbuf.st_mode)) + { + /* Weird error */ ++ xfree(dir); + ret=1; + goto end; + } +diff --git a/g10/import.c b/g10/import.c +index 821ddf0d4..951c33d81 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -4524,7 +4524,10 @@ append_new_uid (unsigned int options, + err = insert_key_origin_uid (n->pkt->pkt.user_id, + curtime, origin, url); + if (err) +- return err; ++ { ++ release_kbnode (n); ++ return err; ++ } + } + + if (n_where) +diff --git a/g10/keyedit.c b/g10/keyedit.c +index 531d3e128..902741b5f 100644 +--- a/g10/keyedit.c ++++ b/g10/keyedit.c +@@ -5307,7 +5307,10 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock) + } + + if (ascii_strcasecmp (answer, "none") == 0) +- uri = NULL; ++ { ++ xfree (answer); ++ uri = NULL; ++ } + else + { + struct keyserver_spec *keyserver = NULL; +@@ -5379,12 +5382,14 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock) + uri + ? _("Are you sure you want to replace it? (y/N) ") + : _("Are you sure you want to delete it? (y/N) "))) ++ xfree (user); + continue; + } + else if (uri == NULL) + { + /* There is no current keyserver URL, so there + is no point in trying to un-set it. */ ++ xfree (user); + continue; + } + +@@ -5397,6 +5402,7 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock) + log_error ("update_keysig_packet failed: %s\n", + gpg_strerror (rc)); + xfree (uri); ++ xfree (user); + return 0; + } + /* replace the packet */ +diff --git a/g10/keygen.c b/g10/keygen.c +index 5d85c05d4..f1e4d3638 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -237,12 +237,13 @@ print_status_key_not_created (const char *handle) + static gpg_error_t + write_uid (kbnode_t root, const char *s) + { +- PACKET *pkt = xmalloc_clear (sizeof *pkt); ++ PACKET *pkt = NULL; + size_t n = strlen (s); + + if (n > MAX_UID_PACKET_LENGTH - 10) + return gpg_error (GPG_ERR_INV_USER_ID); + ++ pkt = xmalloc_clear (sizeof *pkt); + pkt->pkttype = PKT_USER_ID; + pkt->pkt.user_id = xmalloc_clear (sizeof *pkt->pkt.user_id + n); + pkt->pkt.user_id->len = n; +@@ -2860,7 +2861,10 @@ ask_expire_interval(int object,const char *def_expire) + xfree(prompt); + + if(*answer=='\0') +- answer=xstrdup(def_expire); ++ { ++ xfree (answer); ++ answer = xstrdup (def_expire); ++ } + } + cpr_kill_prompt(); + trim_spaces(answer); +@@ -5238,12 +5242,15 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk, + epoch2isotime (timestamp, (time_t)sk->timestamp); + err = hexkeygrip_from_pk (sk, &hexgrip); + if (err) +- return err; ++ goto leave; + + memset(&info, 0, sizeof (info)); + rc = agent_scd_getattr ("SERIALNO", &info); + if (rc) +- return (gpg_error_t)rc; ++ { ++ err = (gpg_error_t)rc; ++ goto leave; ++ } + + rc = agent_keytocard (hexgrip, 2, 1, info.serialno, timestamp); + xfree (info.serialno); +diff --git a/g10/keyserver.c b/g10/keyserver.c +index c56021691..a20ebf24e 100644 +--- a/g10/keyserver.c ++++ b/g10/keyserver.c +@@ -284,7 +284,7 @@ parse_keyserver_uri (const char *string,int require_scheme) + if(*idx=='\0' || *idx=='[') + { + if(require_scheme) +- return NULL; ++ goto fail; + + /* Assume HKP if there is no scheme */ + assume_hkp=1; +diff --git a/g10/revoke.c b/g10/revoke.c +index c0a003b6f..d6cbf93cb 100644 +--- a/g10/revoke.c ++++ b/g10/revoke.c +@@ -435,6 +435,7 @@ gen_desig_revoke (ctrl_t ctrl, const char *uname, strlist_t locusr) + iobuf_close(out); + release_revocation_reason_info( reason ); + release_armor_context (afx); ++ keydb_release (kdbhd); + return rc; + } + +@@ -804,7 +805,10 @@ ask_revocation_reason( int key_rev, int cert_rev, int hint ) + trim_spaces( answer ); + cpr_kill_prompt(); + if( *answer == 'q' || *answer == 'Q') +- return NULL; /* cancel */ ++ { ++ xfree (answer); ++ return NULL; /* cancel */ ++ } + if( hint && !*answer ) + n = hint; + else if(!digitp( answer ) ) +diff --git a/g10/tofu.c b/g10/tofu.c +index f49083844..83786a08d 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl, + GPGSQL_ARG_END); + if (rc) + { ++ sqlite3_free (sqerr); ++ sqerr = NULL; + rc = gpg_error (GPG_ERR_GENERAL); + break; + } +@@ -1972,6 +1974,7 @@ ask_about_binding (ctrl_t ctrl, + else if (!response[0]) + /* Default to unknown. Don't save it. */ + { ++ xfree (response); + tty_printf (_("Defaulting to unknown.\n")); + *policy = TOFU_POLICY_UNKNOWN; + break; +@@ -1983,6 +1986,7 @@ ask_about_binding (ctrl_t ctrl, + if (choice) + { + int c = ((size_t) choice - (size_t) choices) / 2; ++ xfree (response); + + switch (c) + { +diff --git a/g10/trustdb.c b/g10/trustdb.c +index 43bce0769..9ef4644bf 100644 +--- a/g10/trustdb.c ++++ b/g10/trustdb.c +@@ -1430,6 +1430,7 @@ ask_ownertrust (ctrl_t ctrl, u32 *kid, int minimum) + { + log_error (_("public key %s not found: %s\n"), + keystr(kid), gpg_strerror (rc) ); ++ free_public_key (pk); + return TRUST_UNKNOWN; + } + +-- +2.30.2 + + +From 0dabf0cffb1d67812c50a4f727398b59f93270a6 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Apr 2021 14:05:17 +0200 +Subject: [PATCH GnuPG 04/19] sm: Avoid memory leaks and double double-free + +* sm/certcheck.c (extract_pss_params): Avoid double free +* sm/decrypt.c (gpgsm_decrypt): goto leave instead of return +* sm/encrypt.c (encrypt_dek): release s_pkey +* sm/server.c (cmd_export): free list + (do_listkeys): free lists + +-- + +Signed-off-by: Jakub Jelen +--- + sm/certcheck.c | 1 - + sm/decrypt.c | 5 ++++- + sm/encrypt.c | 1 + + sm/server.c | 24 +++++++++++++++++++----- + 4 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/sm/certcheck.c b/sm/certcheck.c +index fca45759b..f4db858c3 100644 +--- a/sm/certcheck.c ++++ b/sm/certcheck.c +@@ -294,7 +294,6 @@ extract_pss_params (gcry_sexp_t s_sig, int *r_algo, unsigned int *r_saltlen) + if (*r_saltlen < 20) + { + log_error ("length of PSS salt too short\n"); +- gcry_sexp_release (s_sig); + return gpg_error (GPG_ERR_DIGEST_ALGO); + } + if (!*r_algo) +diff --git a/sm/decrypt.c b/sm/decrypt.c +index aa91b370d..f7f91c466 100644 +--- a/sm/decrypt.c ++++ b/sm/decrypt.c +@@ -755,7 +755,10 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) + dfparm.mode = mode; + dfparm.blklen = gcry_cipher_get_algo_blklen (algo); + if (dfparm.blklen > sizeof (dfparm.helpblock)) +- return gpg_error (GPG_ERR_BUG); ++ { ++ rc = gpg_error (GPG_ERR_BUG); ++ goto leave; ++ } + + rc = ksba_cms_get_content_enc_iv (cms, + dfparm.iv, +diff --git a/sm/encrypt.c b/sm/encrypt.c +index 92ca341f5..ba2428e9a 100644 +--- a/sm/encrypt.c ++++ b/sm/encrypt.c +@@ -473,6 +473,7 @@ encrypt_dek (const DEK dek, ksba_cert_t cert, int pk_algo, + rc = encode_session_key (dek, &s_data); + if (rc) + { ++ gcry_sexp_release (s_pkey); + log_error ("encode_session_key failed: %s\n", gpg_strerror (rc)); + return rc; + } +diff --git a/sm/server.c b/sm/server.c +index 874f0db89..871cc4b31 100644 +--- a/sm/server.c ++++ b/sm/server.c +@@ -724,8 +724,13 @@ cmd_export (assuan_context_t ctx, char *line) + + if (opt_secret) + { +- if (!list || !*list->d) ++ if (!list) + return set_error (GPG_ERR_NO_DATA, "No key given"); ++ if (!*list->d) ++ { ++ free_strlist (list); ++ return set_error (GPG_ERR_NO_DATA, "No key given"); ++ } + if (list->next) + return set_error (GPG_ERR_TOO_MANY, "Only one key allowed"); + } +@@ -1014,17 +1019,26 @@ do_listkeys (assuan_context_t ctx, char *line, int mode) + int outfd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1); + + if ( outfd == -1 ) +- return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL); ++ { ++ free_strlist (list); ++ return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL); ++ } + fp = es_fdopen_nc (outfd, "w"); + if (!fp) +- return set_error (gpg_err_code_from_syserror (), "es_fdopen() failed"); ++ { ++ free_strlist (list); ++ return set_error (gpg_err_code_from_syserror (), "es_fdopen() failed"); ++ } + } + else + { + fp = es_fopencookie (ctx, "w", data_line_cookie_functions); + if (!fp) +- return set_error (GPG_ERR_ASS_GENERAL, +- "error setting up a data stream"); ++ { ++ free_strlist (list); ++ return set_error (GPG_ERR_ASS_GENERAL, ++ "error setting up a data stream"); ++ } + } + + ctrl->with_colons = 1; +-- +2.30.2 + + +From febbe77870b51e4e1158ae9efeaa0f3aad69a495 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Apr 2021 14:48:59 +0200 +Subject: [PATCH GnuPG 05/19] tools: Avoid memory leak sfrom gpgspilt + +* tools/gpgsplit.c (write_part): free blob + +-- + +Signed-off-by: Jakub Jelen +--- + tools/gpgsplit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/gpgsplit.c b/tools/gpgsplit.c +index cc7bf8ef5..93458068c 100644 +--- a/tools/gpgsplit.c ++++ b/tools/gpgsplit.c +@@ -620,6 +620,7 @@ write_part (FILE *fpin, unsigned long pktlen, + } + } + ++ xfree (blob); + goto ready; + } + +-- +2.30.2 + + +From 1cd048ba37786f46aabf3efdc3c245b75244dc26 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Apr 2021 19:19:59 +0200 +Subject: [PATCH GnuPG 06/19] agent: Fix memory leaks + +* agent/call-daemon.c (daemon_start): free wctp +* agent/call-scd.c (agent_card_pksign): return error instead of noop + (card_keyinfo_cb): free keyinfo +* agent/protect.c (agent_get_shadow_info_type): allocate only as a last + action + (agent_is_tpm2_key): Free buf + +-- + +Signed-off-by: Jakub Jelen +--- + agent/call-daemon.c | 2 ++ + agent/call-scd.c | 4 +++- + agent/protect.c | 17 +++++++++-------- + 3 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/agent/call-daemon.c b/agent/call-daemon.c +index 144400875..3bf6bb793 100644 +--- a/agent/call-daemon.c ++++ b/agent/call-daemon.c +@@ -512,6 +512,8 @@ daemon_start (enum daemon_type type, ctrl_t ctrl) + log_error ("error spawning wait_child_thread: %s\n", strerror (err)); + npth_attr_destroy (&tattr); + } ++ else ++ xfree (wctp); + } + + leave: +diff --git a/agent/call-scd.c b/agent/call-scd.c +index 3ede33c1d..f060541a3 100644 +--- a/agent/call-scd.c ++++ b/agent/call-scd.c +@@ -487,7 +487,7 @@ agent_card_pksign (ctrl_t ctrl, + /* FIXME: In the mdalgo case (INDATA,INDATALEN) might be long and + * thus we can't convey it on a single Assuan line. */ + if (!mdalgo) +- gpg_error (GPG_ERR_NOT_IMPLEMENTED); ++ return gpg_error (GPG_ERR_NOT_IMPLEMENTED); + + if (indatalen*2 + 50 > DIM(line)) + return unlock_scd (ctrl, gpg_error (GPG_ERR_GENERAL)); +@@ -941,6 +941,7 @@ card_keyinfo_cb (void *opaque, const char *line) + if (!keyinfo) + { + alloc_error: ++ xfree (keyinfo); + if (!parm->error) + parm->error = gpg_error_from_syserror (); + return 0; +@@ -952,6 +953,7 @@ card_keyinfo_cb (void *opaque, const char *line) + if (n != 40) + { + parm_error: ++ xfree (keyinfo); + if (!parm->error) + parm->error = gpg_error (GPG_ERR_ASS_PARAMETER); + return 0; +diff --git a/agent/protect.c b/agent/protect.c +index 50b10eb26..72169429d 100644 +--- a/agent/protect.c ++++ b/agent/protect.c +@@ -1663,13 +1663,6 @@ agent_get_shadow_info_type (const unsigned char *shadowkey, + n = snext (&s); + if (!n) + return gpg_error (GPG_ERR_INV_SEXP); +- if (shadow_type) { +- char *buf = xtrymalloc(n+1); +- memcpy(buf, s, n); +- buf[n] = '\0'; +- *shadow_type = buf; +- } +- + if (smatch (&s, n, "t1-v1") || smatch(&s, n, "tpm2-v1")) + { + if (*s != '(') +@@ -1679,6 +1672,14 @@ agent_get_shadow_info_type (const unsigned char *shadowkey, + } + else + return gpg_error (GPG_ERR_UNSUPPORTED_PROTOCOL); ++ ++ if (shadow_type) { ++ char *buf = xtrymalloc(n+1); ++ memcpy(buf, s, n); ++ buf[n] = '\0'; ++ *shadow_type = buf; ++ } ++ + return 0; + } + +@@ -1704,9 +1705,9 @@ agent_is_tpm2_key (gcry_sexp_t s_skey) + return 0; + + err = agent_get_shadow_info_type (buf, NULL, &type); ++ xfree (buf); + if (err) + return 0; +- xfree (buf); + + err = strcmp (type, "tpm2-v1") == 0; + xfree (type); +-- +2.30.2 + + +From 9d206e1dfabb965e97723dd799d0f7b3be04116d Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Apr 2021 19:29:21 +0200 +Subject: [PATCH GnuPG 07/19] common: Avoid double-free + +* common/name-value.c (do_nvc_parse): reset to null after ownership + change + +-- + +Signed-off-by: Jakub Jelen +--- + common/name-value.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/common/name-value.c b/common/name-value.c +index 0bd205b7d..39c3244e9 100644 +--- a/common/name-value.c ++++ b/common/name-value.c +@@ -724,6 +724,7 @@ do_nvc_parse (nvc_t *result, int *errlinep, estream_t stream, + if (raw_value) + { + err = _nvc_add (*result, name, NULL, raw_value, 1); ++ name = NULL; + if (err) + goto leave; + } +-- +2.30.2 + + +From 33317744850d10a03ad4215a329a7d4bc3837234 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Apr 2021 19:48:31 +0200 +Subject: [PATCH GnuPG 08/19] dirmgr: Avoid double free + +* dirmgr/http.c (http_prepare_redirect): Avoid double free +* dirmgr/ocsp.c (check_signature): Initialize pointer + +-- + +Signed-off-by: Jakub Jelen +--- + dirmngr/http.c | 2 -- + dirmngr/ocsp.c | 2 +- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 74ce5f465..c662b1b95 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -3681,7 +3681,6 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code, + if (!newurl) + { + err = gpg_error_from_syserror (); +- http_release_parsed_uri (locuri); + return err; + } + } +@@ -3700,7 +3699,6 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code, + if (!newurl) + { + err = gpg_error_from_syserror (); +- http_release_parsed_uri (locuri); + return err; + } + } +diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c +index 6864f9854..6ec760d81 100644 +--- a/dirmngr/ocsp.c ++++ b/dirmngr/ocsp.c +@@ -450,7 +450,7 @@ check_signature (ctrl_t ctrl, + { + gpg_error_t err; + int algo, cert_idx; +- gcry_sexp_t s_hash; ++ gcry_sexp_t s_hash = NULL; + ksba_cert_t cert; + const char *s; + +-- +2.30.2 + + +From c87d40395b8f24426645cc491dca5cf910755395 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Apr 2021 20:05:48 +0200 +Subject: [PATCH GnuPG 09/19] g10: Avoid memory leaks + +* g10/call-agent.c (card_keyinfo_cb): free keyinfo +* g10/keyedit.c (menu_set_keyserver_url): properly enclose the block +* g10/keygen.c (gen_card_key): free pk and pkt + +-- + +Signed-off-by: Jakub Jelen +--- + g10/call-agent.c | 2 ++ + g10/keyedit.c | 8 +++++--- + g10/keygen.c | 12 ++++++++++-- + 3 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/g10/call-agent.c b/g10/call-agent.c +index 83355454a..c9cbcd4e5 100644 +--- a/g10/call-agent.c ++++ b/g10/call-agent.c +@@ -1729,6 +1729,7 @@ card_keyinfo_cb (void *opaque, const char *line) + if (!keyinfo) + { + alloc_error: ++ xfree (keyinfo); + if (!parm->error) + parm->error = gpg_error_from_syserror (); + return 0; +@@ -1740,6 +1741,7 @@ card_keyinfo_cb (void *opaque, const char *line) + if (n != 40) + { + parm_error: ++ xfree (keyinfo); + if (!parm->error) + parm->error = gpg_error (GPG_ERR_ASS_PARAMETER); + return 0; +diff --git a/g10/keyedit.c b/g10/keyedit.c +index 902741b5f..91731a271 100644 +--- a/g10/keyedit.c ++++ b/g10/keyedit.c +@@ -5382,14 +5382,16 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock) + uri + ? _("Are you sure you want to replace it? (y/N) ") + : _("Are you sure you want to delete it? (y/N) "))) +- xfree (user); +- continue; ++ { ++ xfree (user); ++ continue; ++ } + } + else if (uri == NULL) + { + /* There is no current keyserver URL, so there + is no point in trying to un-set it. */ +- xfree (user); ++ xfree (user); + continue; + } + +diff --git a/g10/keygen.c b/g10/keygen.c +index f1e4d3638..82f6bb880 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -6140,12 +6140,20 @@ gen_card_key (int keyno, int algo, int is_primary, kbnode_t pub_root, the self-signatures. */ err = agent_readkey (NULL, 1, keyid, &public); if (err) @@ -108,113 +995,360 @@ diff -up gnupg-2.2.21/g10/keygen.c.coverity gnupg-2.2.21/g10/keygen.c if (algo == PUBKEY_ALGO_RSA) err = key_from_sexp (pk->pkey, s_key, "public-key", "ne"); -@@ -5739,6 +5747,7 @@ gen_card_key (int keyno, int algo, int i +-- +2.30.2 + + +From bb6e1e13d9440816c60013a50d426b7ccd6c0288 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Apr 2021 21:59:17 +0200 +Subject: [PATCH GnuPG 10/19] kbx: Avoid uninitialized read + +* kbx/kbx-client-util.c (datastream_thread): Initialize pointer +* kbx/keybox-dump.c (_keybox_dump_cut_records): free blob +* kbx/kbxserver.c (kbxd_start_command_handler): do not free passed ctrl +* kbx/keyboxd.c (check_own_socket): free sockname + +-- + +Signed-off-by: Jakub Jelen +--- + kbx/kbx-client-util.c | 2 +- + kbx/kbxserver.c | 1 - + kbx/keybox-dump.c | 4 +++- + kbx/keyboxd.c | 5 ++++- + 4 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/kbx/kbx-client-util.c b/kbx/kbx-client-util.c +index bd71cf2ba..07370319b 100644 +--- a/kbx/kbx-client-util.c ++++ b/kbx/kbx-client-util.c +@@ -176,7 +176,7 @@ datastream_thread (void *arg) + int rc; + unsigned char lenbuf[4]; + size_t nread, datalen; +- char *data, *tmpdata; ++ char *data = NULL, *tmpdata; + + /* log_debug ("%s: started\n", __func__); */ + while (kcd->fp) +diff --git a/kbx/kbxserver.c b/kbx/kbxserver.c +index 55b478586..0b76cde31 100644 +--- a/kbx/kbxserver.c ++++ b/kbx/kbxserver.c +@@ -844,7 +844,6 @@ kbxd_start_command_handler (ctrl_t ctrl, gnupg_fd_t fd, unsigned int session_id) + { + log_error (_("can't allocate control structure: %s\n"), + gpg_strerror (gpg_error_from_syserror ())); +- xfree (ctrl); + return; + } + ctrl->server_local->client_pid = ASSUAN_INVALID_PID; +diff --git a/kbx/keybox-dump.c b/kbx/keybox-dump.c +index 3e66b72a1..38608ceaa 100644 +--- a/kbx/keybox-dump.c ++++ b/kbx/keybox-dump.c +@@ -881,7 +881,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from, + unsigned long to, FILE *outfp) + { + estream_t fp; +- KEYBOXBLOB blob; ++ KEYBOXBLOB blob = NULL; + int rc; + unsigned long recno = 0; + +@@ -902,6 +902,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from, + } + } + _keybox_release_blob (blob); ++ blob = NULL; + recno++; + } + if (rc == -1) +@@ -909,6 +910,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from, + if (rc) + fprintf (stderr, "error reading '%s': %s\n", filename, gpg_strerror (rc)); + leave: ++ _keybox_release_blob (blob); + if (fp != es_stdin) + es_fclose (fp); + return rc; +diff --git a/kbx/keyboxd.c b/kbx/keyboxd.c +index 76a0694a4..3f759e6f7 100644 +--- a/kbx/keyboxd.c ++++ b/kbx/keyboxd.c +@@ -1795,7 +1795,10 @@ check_own_socket (void) + + err = npth_attr_init (&tattr); + if (err) +- return; ++ { ++ xfree (sockname); ++ return; ++ } + npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED); + err = npth_create (&thread, &tattr, check_own_socket_thread, sockname); + if (err) +-- +2.30.2 + + +From 7f54495586491b18b5e1088ecf5538c0343f90e7 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 14:02:18 +0200 +Subject: [PATCH GnuPG 11/19] scd: avoid memory leaks + +* scd/app-p15.c (send_certinfo): free labelbuf + (do_sign): goto leave instead of return +* scd/app-piv.c (do_sign): goto leave instead of return, fix typo in + variable name, avoid using uninitialized variables +* scd/command.c (cmd_genkey): goto leave instead of return + +-- + +Signed-off-by: Jakub Jelen +--- + scd/app-p15.c | 5 +++-- + scd/app-piv.c | 6 +++--- + scd/command.c | 10 ++++++++-- + 3 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/scd/app-p15.c b/scd/app-p15.c +index 90f6b4c99..9eeeed960 100644 +--- a/scd/app-p15.c ++++ b/scd/app-p15.c +@@ -3851,6 +3851,7 @@ send_certinfo (app_t app, ctrl_t ctrl, const char *certtype, + labelbuf, strlen (labelbuf), + NULL, (size_t)0); + xfree (buf); ++ xfree (labelbuf); + } + return 0; + } +@@ -5461,7 +5462,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, if (err) { - log_error ("key_from_sexp failed: %s\n", gpg_strerror (err) ); -+ xfree (pkt); - free_public_key (pk); - return err; + log_error ("p15: MSE failed: %s\n", gpg_strerror (err)); +- return err; ++ goto leave; } -diff -up gnupg-2.2.21/g10/sig-check.c.coverity gnupg-2.2.21/g10/sig-check.c ---- gnupg-2.2.21/g10/sig-check.c.coverity 2020-07-03 16:17:05.000000000 +0200 -+++ gnupg-2.2.21/g10/sig-check.c 2020-07-20 17:09:57.420148801 +0200 -@@ -902,6 +902,7 @@ check_signature_over_key_or_uid (ctrl_t - { - /* Issued by a subkey. */ - signer = subk; -+ *is_selfsig = 1; - break; - } - } -diff -up gnupg-2.2.21/g10/sign.c.coverity gnupg-2.2.21/g10/sign.c ---- gnupg-2.2.21/g10/sign.c.coverity 2020-07-20 17:09:57.399148624 +0200 -+++ gnupg-2.2.21/g10/sign.c 2020-07-20 17:09:57.420148801 +0200 -@@ -824,7 +824,7 @@ write_signature_packets (ctrl_t ctrl, - PKT_public_key *pk; - PKT_signature *sig; - gcry_md_hd_t md; -- gpg_error_t err; -+ gpg_error_t err = 0; - pk = sk_rover->pk; - -diff -up gnupg-2.2.21/kbx/keybox-dump.c.coverity gnupg-2.2.21/kbx/keybox-dump.c ---- gnupg-2.2.21/kbx/keybox-dump.c.coverity 2019-08-23 15:59:06.000000000 +0200 -+++ gnupg-2.2.21/kbx/keybox-dump.c 2020-07-20 17:09:57.420148801 +0200 -@@ -786,11 +786,15 @@ _keybox_dump_cut_records (const char *fi - while ( !(rc = _keybox_read_blob (&blob, fp, NULL)) ) + /* Now that we have all the information available run the actual PIN +@@ -5500,7 +5501,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, + if (err) { - if (recno > to) -- break; /* Ready. */ -+ { -+ _keybox_release_blob (blob); -+ break; /* Ready. */ -+ } - if (recno >= from) + log_error ("p15: MSE failed: %s\n", gpg_strerror (err)); +- return err; ++ goto leave; + } + + if (prkdf->keyalgo == GCRY_PK_RSA && prkdf->keynbits > 2048) +diff --git a/scd/app-piv.c b/scd/app-piv.c +index ead1b1974..143cc047a 100644 +--- a/scd/app-piv.c ++++ b/scd/app-piv.c +@@ -2175,7 +2175,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, + unsigned char oidbuf[64]; + size_t oidbuflen; + unsigned char *outdata = NULL; +- size_t outdatalen; ++ size_t outdatalen = 0; + const unsigned char *s; + size_t n; + int keyref, mechanism; +@@ -2357,7 +2357,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, + /* Now verify the Application PIN. */ + err = verify_chv (app, ctrl, 0x80, force_verify, pincb, pincb_arg); + if (err) +- return err; ++ goto leave; + + /* Build the Dynamic Authentication Template. */ + err = concat_tlv_list (0, &apdudata, &apdudatalen, +@@ -2403,7 +2403,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, + goto bad_der; + log_assert (n >= (rval-s)+rlen); + sval = find_tlv (rval+rlen, n-((rval-s)+rlen), 0x02, &slen); +- if (!rval) ++ if (!sval) + goto bad_der; + rlenx = slenx = 0; + if (rlen > slen) +diff --git a/scd/command.c b/scd/command.c +index 11d61648b..cb0dd379a 100644 +--- a/scd/command.c ++++ b/scd/command.c +@@ -1438,7 +1438,10 @@ cmd_genkey (assuan_context_t ctx, char *line) + + line = skip_options (line); + if (!*line) +- return set_error (GPG_ERR_ASS_PARAMETER, "no key number given"); ++ { ++ err = set_error (GPG_ERR_ASS_PARAMETER, "no key number given"); ++ goto leave; ++ } + keyref = line; + while (*line && !spacep (line)) + line++; +@@ -1448,7 +1451,10 @@ cmd_genkey (assuan_context_t ctx, char *line) + goto leave; + + if (!ctrl->card_ctx) +- return gpg_error (GPG_ERR_UNSUPPORTED_OPERATION); ++ { ++ err = gpg_error (GPG_ERR_UNSUPPORTED_OPERATION); ++ goto leave; ++ } + + keyref = keyref_buffer = xtrystrdup (keyref); + if (!keyref) +-- +2.30.2 + + +From 3b2d9059b95ddb95a9e9fbaceb2f17c8be31d229 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 14:50:13 +0200 +Subject: [PATCH GnuPG 12/19] tools: Intialize pointer to avoid double free + +* tools/gpg-card.c (cmd_salut): Initialize data pointer + +-- + +Signed-off-by: Jakub Jelen +--- + tools/gpg-card.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/gpg-card.c b/tools/gpg-card.c +index 1889fb45c..e84d2fbb0 100644 +--- a/tools/gpg-card.c ++++ b/tools/gpg-card.c +@@ -1785,6 +1785,7 @@ cmd_salut (card_info_t info, const char *argstr) { - if ((rc = _keybox_write_blob (blob, NULL, outfp))) - { -+ _keybox_release_blob (blob); - fprintf (stderr, "error writing output: %s\n", - gpg_strerror (rc)); - goto leave; -diff -up gnupg-2.2.21/tools/gpg-wks-server.c.coverity gnupg-2.2.21/tools/gpg-wks-server.c ---- gnupg-2.2.21/tools/gpg-wks-server.c.coverity 2020-02-10 16:12:13.000000000 +0100 -+++ gnupg-2.2.21/tools/gpg-wks-server.c 2020-07-20 17:09:57.420148801 +0200 -@@ -890,15 +890,18 @@ store_key_as_pending (const char *dir, e + tty_printf (_("Error: invalid response.\n")); + xfree (data); ++ data = NULL; + goto again; + } } +-- +2.30.2 + + +From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 16:23:31 +0200 +Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks + +* dirmngr/domaininfo.c (insert_or_update): free di_new + +-- + +Signed-off-by: Jakub Jelen +--- + dirmngr/domaininfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c +index b41aef366..87782b4b1 100644 +--- a/dirmngr/domaininfo.c ++++ b/dirmngr/domaininfo.c +@@ -193,6 +193,7 @@ insert_or_update (const char *domain, + log_error ("domaininfo: error allocating helper array: %s\n", + gpg_strerror (gpg_err_code_from_syserror ())); + drop_extra = bucket; ++ xfree (di_new); + goto leave; + } + narray = 0; +-- +2.30.2 + + +From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 16:34:40 +0200 +Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory + +* scd/app-piv.c (do_decipher): goto leave, initialize outdatalen + +-- + +Signed-off-by: Jakub Jelen +--- + scd/app-piv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scd/app-piv.c b/scd/app-piv.c +index 143cc047a..94257f0ee 100644 +--- a/scd/app-piv.c ++++ b/scd/app-piv.c +@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, + gpg_error_t err; + data_object_t dobj; + unsigned char *outdata = NULL; +- size_t outdatalen; ++ size_t outdatalen = 0; + const unsigned char *s; + size_t n; + int keyref, mechanism; +@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, + /* Now verify the Application PIN. */ + err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg); + if (err) +- return err; ++ goto leave; - leave: -- if (err) -+ if (fname) - { -- es_fclose (outfp); -- gnupg_remove (fname); -- } -- else if (es_fclose (outfp)) -- { -- err = gpg_error_from_syserror (); -- log_error ("error closing '%s': %s\n", fname, gpg_strerror (err)); -+ if (err) -+ { -+ es_fclose (outfp); -+ gnupg_remove (fname); -+ } -+ else if (es_fclose (outfp)) -+ { -+ err = gpg_error_from_syserror (); -+ log_error ("error closing '%s': %s\n", fname, gpg_strerror (err)); -+ } - } - - if (!err) -diff -up gnupg-2.2.21/tools/wks-util.c.coverity gnupg-2.2.21/tools/wks-util.c ---- gnupg-2.2.21/tools/wks-util.c.coverity 2019-11-23 13:50:21.000000000 +0100 -+++ gnupg-2.2.21/tools/wks-util.c 2020-07-20 17:09:57.421148810 +0200 -@@ -948,7 +948,7 @@ ensure_policy_file (const char *addrspec - static gpg_error_t - install_key_from_spec_file (const char *fname) + /* Build the Dynamic Authentication Template. */ + err = concat_tlv_list (0, &apdudata, &apdudatalen, +-- +2.30.2 + + +From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 16:44:48 +0200 +Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks + +* tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error + (wks_cmd_print_wkd_hash): Free addrspec on error + +-- + +Signed-off-by: Jakub Jelen +--- + tools/wks-util.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/tools/wks-util.c b/tools/wks-util.c +index 516c7fe00..38dd194ff 100644 +--- a/tools/wks-util.c ++++ b/tools/wks-util.c +@@ -1192,11 +1192,14 @@ gpg_error_t + wks_cmd_print_wkd_hash (const char *userid) { -- gpg_error_t err; -+ gpg_error_t err = 0; - estream_t fp; - char *line = NULL; - size_t linelen = 0; -@@ -1195,10 +1195,8 @@ wks_cmd_print_wkd_hash (const char *user - char *addrspec, *fname; + gpg_error_t err; +- char *addrspec, *fname; ++ char *addrspec = NULL, *fname; err = wks_fname_from_userid (userid, 1, &fname, &addrspec); -- if (err) + if (err) - return err; -- -- es_printf ("%s %s\n", fname, addrspec); -+ if (!err) -+ es_printf ("%s %s\n", fname, addrspec); ++ { ++ xfree (addrspec); ++ return err; ++ } - xfree (fname); - xfree (addrspec); -@@ -1216,7 +1214,10 @@ wks_cmd_print_wkd_url (const char *useri + es_printf ("%s %s\n", fname, addrspec); + +@@ -1211,12 +1214,15 @@ gpg_error_t + wks_cmd_print_wkd_url (const char *userid) + { + gpg_error_t err; +- char *addrspec, *fname; ++ char *addrspec = NULL, *fname; + char *domain; err = wks_fname_from_userid (userid, 1, &fname, &addrspec); if (err) @@ -226,3 +1360,103 @@ diff -up gnupg-2.2.21/tools/wks-util.c.coverity gnupg-2.2.21/tools/wks-util.c domain = strchr (addrspec, '@'); if (domain) +-- +2.30.2 + + +From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 Apr 2021 15:59:12 +0200 +Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory + +* scd/command.c (cmd_getinfo): Use free instead of gcry_free to match + the original allocator + +-- + +Signed-off-by: Jakub Jelen +--- + scd/command.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scd/command.c b/scd/command.c +index cb0dd379a..9d85c5a41 100644 +--- a/scd/command.c ++++ b/scd/command.c +@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line) + rc = assuan_send_data (ctx, p, strlen (p)); + else + rc = gpg_error (GPG_ERR_NO_DATA); +- xfree (p); ++ /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */ ++ free (p); + } + else if (!strcmp (line, "deny_admin")) + rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0; +-- +2.30.2 + + +From f45f023495cb9947b2c31b5782a4063ad317c34c Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 Apr 2021 18:46:48 +0200 +Subject: [PATCH GnuPG 18/19] common: Mark identical branches as intential + +* common/tlv-builder.c (get_tlv_length): Mark identical branches as + inentional for coverity + +-- + +Signed-off-by: Jakub Jelen +--- + common/tlv-builder.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/common/tlv-builder.c b/common/tlv-builder.c +index 3b644ca24..59e2691e0 100644 +--- a/common/tlv-builder.c ++++ b/common/tlv-builder.c +@@ -350,6 +350,7 @@ get_tlv_length (int class, int tag, int constructed, size_t length) + + (void)constructed; /* Not used, but passed for uniformity of such calls. */ + ++ /* coverity[identical_branches] */ + if (tag < 0x1f) + { + buflen++; +-- +2.30.2 + + +From a94b0deab7c2ece2e512f87a52142454354d77b5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 Apr 2021 18:49:03 +0200 +Subject: [PATCH GnuPG 19/19] g10: Do not allocate memory when we can't return + it + +* g10/keyid.c (fpr20_from_pk): Do not allocate memory when we can't + return it + +-- + +Signed-off-by: Jakub Jelen +--- + g10/keyid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/g10/keyid.c b/g10/keyid.c +index 522cc9cda..f1af2fd90 100644 +--- a/g10/keyid.c ++++ b/g10/keyid.c +@@ -899,7 +899,7 @@ fpr20_from_pk (PKT_public_key *pk, byte array[20]) + compute_fingerprint (pk); + + if (!array) +- array = xmalloc (pk->fprlen); ++ return; + + if (pk->fprlen == 32) /* v5 fingerprint */ + { +-- +2.30.2 +