pkcs15: Clean tokeninfo on parse errors to avoid memory leaks

Thanks oss-fuzz

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27779
This commit is contained in:
Jakub Jelen 2020-11-30 15:52:26 +01:00 committed by Jakub Jelen
parent fb83cd0439
commit 3ffe24cfb6
1 changed files with 33 additions and 14 deletions

View File

@ -130,6 +130,7 @@ static void sc_pkcs15_remove_dfs(struct sc_pkcs15_card *);
static void sc_pkcs15_remove_objects(struct sc_pkcs15_card *);
static int sc_pkcs15_aux_get_md_guid(struct sc_pkcs15_card *, const struct sc_pkcs15_object *,
unsigned, unsigned char *, size_t *);
static void sc_pkcs15_clear_tokeninfo(struct sc_pkcs15_tokeninfo *tokeninfo);
int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx,
sc_pkcs15_tokeninfo_t *ti, const u8 *buf, size_t blen)
@ -217,7 +218,11 @@ int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx,
sc_format_asn1_entry(asn1_tokeninfo, asn1_toki_attrs, NULL, 0);
r = sc_asn1_decode(ctx, asn1_tokeninfo, buf, blen, NULL, NULL);
LOG_TEST_RET(ctx, r, "ASN.1 parsing of EF(TokenInfo) failed");
if (r != SC_SUCCESS) {
/* The decoding could have allocated something we need to free */
sc_pkcs15_clear_tokeninfo(ti);
LOG_TEST_RET(ctx, r, "ASN.1 parsing of EF(TokenInfo) failed");
}
if (asn1_toki_attrs[1].flags & SC_ASN1_PRESENT && serial_len > 0) {
free(ti->serial_number);
@ -726,6 +731,32 @@ sc_pkcs15_tokeninfo_new(void)
return tokeninfo;
}
static void
sc_pkcs15_clear_tokeninfo(struct sc_pkcs15_tokeninfo *tokeninfo)
{
if (!tokeninfo)
return;
free(tokeninfo->label);
tokeninfo->label = NULL;
free(tokeninfo->serial_number);
tokeninfo->serial_number = NULL;
free(tokeninfo->manufacturer_id);
tokeninfo->manufacturer_id = NULL;
free(tokeninfo->last_update.gtime);
tokeninfo->last_update.gtime = NULL;
free(tokeninfo->preferred_language);
tokeninfo->preferred_language = NULL;
free(tokeninfo->profile_indication.name);
tokeninfo->profile_indication.name = NULL;
if (tokeninfo->seInfo != NULL) {
unsigned i;
for (i = 0; i < tokeninfo->num_seInfo; i++)
free(tokeninfo->seInfo[i]);
free(tokeninfo->seInfo);
tokeninfo->seInfo = NULL;
}
}
void
sc_pkcs15_free_tokeninfo(struct sc_pkcs15_tokeninfo *tokeninfo)
@ -733,22 +764,10 @@ sc_pkcs15_free_tokeninfo(struct sc_pkcs15_tokeninfo *tokeninfo)
if (!tokeninfo)
return;
free(tokeninfo->label);
free(tokeninfo->serial_number);
free(tokeninfo->manufacturer_id);
free(tokeninfo->last_update.gtime);
free(tokeninfo->preferred_language);
free(tokeninfo->profile_indication.name);
if (tokeninfo->seInfo != NULL) {
unsigned i;
for (i = 0; i < tokeninfo->num_seInfo; i++)
free(tokeninfo->seInfo[i]);
free(tokeninfo->seInfo);
}
sc_pkcs15_clear_tokeninfo(tokeninfo);
free(tokeninfo);
}
void
sc_pkcs15_free_app(struct sc_pkcs15_card *p15card)
{