Memory leak in function buf_to_sig
Closed, ResolvedPublic

Description

Found by oss-fuzz

Memory is allocated at
sig->hashed = xmalloc (sizeof (*sig->hashed) + n - 1);
in function parse_signaturein file g10/parse-packet.c

Memory gets leaked at

if (parse_signature (iobuf, PKT_SIGNATURE, len, sig) != 0)
  {
    xfree (sig);
    sig = NULL;
  }

in fonction buf_to_sig

Patch could simply be

diff --git a/g10/getkey.c b/g10/getkey.c
index 445e8a6a1..d018be655 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -3142,7 +3142,7 @@ buf_to_sig (const byte * buf, size_t len)
 
   if (parse_signature (iobuf, PKT_SIGNATURE, len, sig) != 0)
     {
-      xfree (sig);
+      free_seckey_enc (sig);
       sig = NULL;
     }
gniibe claimed this task.Jul 2 2018, 9:35 AM
gniibe added a subscriber: gniibe.

Good catch. Thank you.

gniibe added a comment.Jul 3 2018, 2:16 AM

I found two more cases. Those are included in the fix.

gniibe triaged this task as Normal priority.Jul 3 2018, 2:22 AM

Fixed in master and 2.2 branch.

gniibe closed this task as Resolved.Jul 13 2018, 3:00 AM