curl-library
Re: [PATCH] lib/ssluse.c: verifyhost(): peer_CN leak
Date: Tue, 22 May 2007 16:32:14 -0400
On May 22, 2007, at 3:50 PM, Daniel Stenberg wrote:
> On Tue, 22 May 2007, Andre Guibert de Bruet wrote:
>
>> While auditing memory usage in a piece of software that makes
>> extensive use of cURL's HTTPS functionality, I came across a
>> condition in which cURL leaks the peer_CN heap variable in lib/
>> ssluse.c if the call to Curl_convert_from_utf8() is unsuccessful.
>> This following is a diff against 7.16.2:
>
> Thanks, applied!
Thanks for the quick turnaround! I am quite impressed! :)
This next issue is much like the first. In the PKCS12 case, a
PKCS12_parse() error causes a leak of the p12 heap-allocated variable
(The line offsets are 7.16.2 + my previous patch).
--- ssluse.c.orig 2007-05-22 15:11:30.000000000 -0400
+++ ssluse.c 2007-05-22 16:26:28.000000000 -0400
@@ -377,6 +377,7 @@
failf(data,
"could not parse PKCS12 file, check password, OpenSSL
error %s",
ERR_error_string(ERR_get_error(), NULL) );
+ PKCS12_free(p12);
return 0;
}
Regards,
/* Andre Guibert de Bruet * 6f43 6564 7020 656f 2e74 4220 7469 6a20 */
/* Code poet / Sysadmin * 636f 656b 2e79 5320 7379 6461 696d 2e6e */
/* GSM: +1 734 846 8758 * 5520 494e 2058 6c73 7565 6874 002e 0000 */
/* WWW: siliconlandmark.com * C/C++, Java, Perl, PHP, SQL, XHTML, XML */
Received on 2007-05-22