[openssl-dev] [openssl.org #4131] Memory leak when parsing invalid X509_ATTRIBUTE

Adam Langley via RT rt at openssl.org
Tue Nov 10 01:26:02 UTC 2015 

The following code:

EVP_PKEY_free(d2i_AutoPrivateKey(NULL, &bufp, n));

Will leak memory when fed this input:

30390201023009060138080469303080301901029ff88b298030b01b060922be0804e930864886f70d3a0180093080060102308030013b0200000420308204e930c3e8300105308030013b01040202ff003029021103292902009930800621022404e83001010430801b06092a86483001aa0286c030dfe980

I believe this is because the X509_ATTRIBUTE item "combines" the first
and second members. Thus, after parsing an ASN1_OBJECT, the main loop
in ASN1_item_ex_d2i does `pseqval = asn1_get_field_ptr(pval, seqtt);`
with i=1 and gets pseqval=pval. ASN1_item_ex_d2i has code to "/* Free
up and zero CHOICE value if initialised */", but it doesn't trigger in
this situation and then ASN1_item_ex_d2i overwrites the ASN1_OBJECT
pointer and leaks it.

The trace of the leak is the following, from 1.0.1 HEAD:

==12959== 41 (40 direct, 1 indirect) bytes in 1 blocks are definitely
lost in loss record 7 of 16
==12959==    at 0x40307C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==12959==    by 0x40AB43: default_malloc_ex (/agl/openssl/crypto/mem.c:79)
==12959==    by 0x40B1D3: CRYPTO_malloc (/agl/openssl/crypto/mem.c:342)
==12959==    by 0x432006: ASN1_OBJECT_new
(/agl/openssl/crypto/asn1/a_object.c:346)
==12959==    by 0x431E6E: c2i_ASN1_OBJECT
(/agl/openssl/crypto/asn1/a_object.c:301)
==12959==    by 0x4069D7: asn1_ex_c2i (/agl/openssl/crypto/asn1/tasn_dec.c:874)
==12959==    by 0x40682A: asn1_d2i_ex_primitive
(/agl/openssl/crypto/asn1/tasn_dec.c:831)
==12959==    by 0x404F15: ASN1_item_ex_d2i
(/agl/openssl/crypto/asn1/tasn_dec.c:207)
==12959==    by 0x40632C: asn1_template_noexp_d2i
(/agl/openssl/crypto/asn1/tasn_dec.c:691)
==12959==    by 0x405F20: asn1_template_ex_d2i
(/agl/openssl/crypto/asn1/tasn_dec.c:579)
==12959==    by 0x4059DD: ASN1_item_ex_d2i
(/agl/openssl/crypto/asn1/tasn_dec.c:443)
==12959==    by 0x4061B6: asn1_template_noexp_d2i
(/agl/openssl/crypto/asn1/tasn_dec.c:663)

_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list