rpms/openldap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

fix: memleak - free the return of tlsm_find_and_verify_cert_key

Browse Source 
Resolves: #725818
This commit is contained in:
Jan Vcelak 2011-08-24 18:48:35 +02:00
parent 49f6078a21
commit 8ac21093cd
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
openldap-nss-memleak-free-certs.patch Normal file
View File

@ -0,0 +1,40 @@
MozNSS: free the return of tlsm_find_and_verify_cert_key
If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
to verify them, it will leave them allocated for the caller to dispose of.
There were a couple of places that were not disposing of the cert and key
upon error.
Author: Rich Megginson <rmeggins@redhat.com>
Upstream ITS: #7001
Upstream commit: fb4b4f7445d9392fbae097cc861e4cfb1694dcae
Resolves: #725818
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 7ae7d82..72fdf49 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1811,6 +1811,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd,
Debug( LDAP_DEBUG_ANY,
"TLS: error: unable to perform client certificate authentication for "
"certificate named %s\n", ctx->tc_certname, 0, 0 );
+ if ( pRetKey && *pRetKey ) {
+ SECKEY_DestroyPrivateKey( *pRetKey );
+ *pRetKey = NULL;
+ }
+ if ( pRetCert && *pRetCert ) {
+ CERT_DestroyCertificate( *pRetCert );
+ *pRetCert = NULL;
+ }
return SECFailure;
}
@@ -2162,6 +2170,8 @@ tlsm_deferred_ctx_init( void *arg )
Debug( LDAP_DEBUG_ANY,
"TLS: error: unable to find and verify server's cert and key for certificate %s\n",
ctx->tc_certname, 0, 0 );
+ CERT_DestroyCertificate( serverCert );
+ SECKEY_DestroyPrivateKey( serverKey );
return -1;
}

3
openldap.spec
View File

@ -33,6 +33,7 @@ Patch7: openldap-nss-free-peer-cert.patch
Patch8: openldap-nss-init-threadsafe.patch
Patch9: openldap-nss-reqcert-hostname.patch
Patch10: openldap-nss-verifycert.patch
Patch11: openldap-nss-memleak-free-certs.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
@ -136,6 +137,7 @@ pushd openldap-%{version}
%patch8 -p1 -b .nss-init-threadsafe
%patch9 -p1 -b .nss-reqcert-hostname
%patch10 -p1 -b .nss-verifycert
%patch11 -p1 -b .nss-memleak-free-certs
cp %{_datadir}/libtool/config/config.{sub,guess} build/
@ -663,6 +665,7 @@ exit 0
- security hardening: library needs partial RELRO support added (#733071)
- fix: NSS_Init* functions are not thread safe (#731112)
- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819)
- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818)
* Sun Aug 14 2011 Rex Dieter <rdieter@fedoraproject.org> - 2.4.26-1.1
- Rebuilt for rpm (#728707)