[openldap] fix: memleak - free the return of tlsm_find_and_verify_cert_key
jvcelak
jvcelak at fedoraproject.org
Wed Aug 24 17:35:58 UTC 2011
commit 8ac21093cd8ba66381b292c86abccf76aebc0367
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Wed Aug 24 18:48:35 2011 +0200
fix: memleak - free the return of tlsm_find_and_verify_cert_key
Resolves: #725818
openldap-nss-memleak-free-certs.patch | 40 +++++++++++++++++++++++++++++++++
openldap.spec | 3 ++
2 files changed, 43 insertions(+), 0 deletions(-)
---
diff --git a/openldap-nss-memleak-free-certs.patch b/openldap-nss-memleak-free-certs.patch
new file mode 100644
index 0000000..f045c6c
--- /dev/null
+++ b/openldap-nss-memleak-free-certs.patch
@@ -0,0 +1,40 @@
+MozNSS: free the return of tlsm_find_and_verify_cert_key
+
+If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
+to verify them, it will leave them allocated for the caller to dispose of.
+There were a couple of places that were not disposing of the cert and key
+upon error.
+
+Author: Rich Megginson <rmeggins at redhat.com>
+Upstream ITS: #7001
+Upstream commit: fb4b4f7445d9392fbae097cc861e4cfb1694dcae
+Resolves: #725818
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 7ae7d82..72fdf49 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1811,6 +1811,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd,
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: unable to perform client certificate authentication for "
+ "certificate named %s\n", ctx->tc_certname, 0, 0 );
++ if ( pRetKey && *pRetKey ) {
++ SECKEY_DestroyPrivateKey( *pRetKey );
++ *pRetKey = NULL;
++ }
++ if ( pRetCert && *pRetCert ) {
++ CERT_DestroyCertificate( *pRetCert );
++ *pRetCert = NULL;
++ }
+ return SECFailure;
+ }
+
+@@ -2162,6 +2170,8 @@ tlsm_deferred_ctx_init( void *arg )
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: unable to find and verify server's cert and key for certificate %s\n",
+ ctx->tc_certname, 0, 0 );
++ CERT_DestroyCertificate( serverCert );
++ SECKEY_DestroyPrivateKey( serverKey );
+ return -1;
+ }
+
diff --git a/openldap.spec b/openldap.spec
index 22226b4..8e5379e 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -33,6 +33,7 @@ Patch7: openldap-nss-free-peer-cert.patch
Patch8: openldap-nss-init-threadsafe.patch
Patch9: openldap-nss-reqcert-hostname.patch
Patch10: openldap-nss-verifycert.patch
+Patch11: openldap-nss-memleak-free-certs.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
@@ -136,6 +137,7 @@ pushd openldap-%{version}
%patch8 -p1 -b .nss-init-threadsafe
%patch9 -p1 -b .nss-reqcert-hostname
%patch10 -p1 -b .nss-verifycert
+%patch11 -p1 -b .nss-memleak-free-certs
cp %{_datadir}/libtool/config/config.{sub,guess} build/
@@ -663,6 +665,7 @@ exit 0
- security hardening: library needs partial RELRO support added (#733071)
- fix: NSS_Init* functions are not thread safe (#731112)
- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819)
+- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818)
* Sun Aug 14 2011 Rex Dieter <rdieter at fedoraproject.org> - 2.4.26-1.1
- Rebuilt for rpm (#728707)
More information about the scm-commits
mailing list