[openssl-dev] [openssl.org #4134] [BUG] Memory leak in STORE_store_private_key()

Wed Nov 11 04:15:16 UTC 2015

Hello!

I work with openssl 1.0.2d, and I found a memory leak in
STORE_store_private_key() function (defined in crypto/store/str_lib.c).
Here is a code fragment:

465:int STORE_store_private_key(STORE *s, EVP_PKEY *data,
466:                            OPENSSL_ITEM attributes[],
467:                            OPENSSL_ITEM parameters[])
468:{
469:    STORE_OBJECT *object;
470:    int i;
471:
472:    check_store(s, STORE_F_STORE_STORE_PRIVATE_KEY,
473:                store_object, STORE_R_NO_STORE_OBJECT_FUNCTION);
474:
475:    object = STORE_OBJECT_new();
476:    if (!object) {
477:        STOREerr(STORE_F_STORE_STORE_PRIVATE_KEY, ERR_R_MALLOC_FAILURE);
478:        return 0;
479:    }
480:    object->data.key = EVP_PKEY_new();
481:    if (!object->data.key) {
482:        STOREerr(STORE_F_STORE_STORE_PRIVATE_KEY, ERR_R_MALLOC_FAILURE);
483:        return 0;
484:    }
485:
486:    CRYPTO_add(&data->references, 1, CRYPTO_LOCK_EVP_PKEY);
487:#ifdef REF_PRINT
488:    REF_PRINT("EVP_PKEY", data);
489:#endif
490:    object->data.key = data;

At line 480 pointer to newly allocated key object is stored in
'object->data.key' variable.
At line 490 variable 'object->data.key' is overwritten with new value. So,
memory allocated at line 480 will never be freed.

-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod