oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

asn1: Free template memory leak

Browse Source 
New AFL session in progress.
This commit is contained in:
Nicolas Williams
2021-03-09 11:21:54 -06:00
parent 2a826fb331
commit 8bc4bae52d
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/asn1/template.c
View File

@@ -732,7 +732,8 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
* Important notes: * Important notes:
* *
* - by and large we don't call _asn1_free() on error, except when we're * - by and large we don't call _asn1_free() on error, except when we're
* decoding optional things, then we do call _asn1_free() here * decoding optional things or choices, then we do call _asn1_free()
* here
* *
* instead we leave it to _asn1_decode_top() to call _asn1_free() on * instead we leave it to _asn1_decode_top() to call _asn1_free() on
* error * error
@@ -744,6 +745,8 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
* *
* - so we must initialize everything * - so we must initialize everything
* *
* FIXME? but we mostly rely on calloc() to do this...
*
* - we don't use malloc() unless we're going to write over the whole * - we don't use malloc() unless we're going to write over the whole
* thing with memcpy() or whatever * thing with memcpy() or whatever
*/ */
@@ -1156,9 +1159,11 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
*element = i; *element = i;
p += datalen; len -= datalen; p += datalen; len -= datalen;
break; break;
} else if (ret != ASN1_BAD_ID && ret != ASN1_MISPLACED_FIELD && ret != ASN1_MISSING_FIELD) {
return ret;
} }
_asn1_free(choice[i].ptr, DPO(data, choice[i].offset));
if (ret != ASN1_BAD_ID && ret != ASN1_MISPLACED_FIELD &&
ret != ASN1_MISSING_FIELD)
return ret;
} }
if (i >= A1_HEADER_LEN(choice) + 1 || !choice[i].tt) { if (i >= A1_HEADER_LEN(choice) + 1 || !choice[i].tt) {
if (choice->tt == 0) if (choice->tt == 0)