[Openvpn-devel] Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only)

Message ID 20211030185756.1831-1-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel] Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only)
Related show

Commit Message

Selva Nair Oct. 30, 2021, 6:57 p.m.
From: Selva Nair <selva.nair@gmail.com>

In OpenSSL 3.0, fetched algorithms must be freed
(down referenced). In this case, though EVP_MAC_CTX_new()
keeps a reference to 'hmac', it up-refs it. So we have to free
it here before return.

(Tested using an enable-asan build).

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 src/openvpn/crypto_openssl.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Arne Schwabe Oct. 31, 2021, 9:48 a.m. | #1
Am 30.10.21 um 20:57 schrieb selva.nair@gmail.com:
> From: Selva Nair <selva.nair@gmail.com>
> 
> In OpenSSL 3.0, fetched algorithms must be freed
> (down referenced). In this case, though EVP_MAC_CTX_new()
> keeps a reference to 'hmac', it up-refs it. So we have to free
> it here before return.
> 
> (Tested using an enable-asan build).
> 

Acked-By: Arne Schwabe <arne@rfc2549.org>

Thanks. I overlooked freeing of fetched algorithms. I probably need to
look at the fetch patch again too :/

Arne
Gert Doering Nov. 5, 2021, 3:17 p.m. | #2
I have not done "real" testing, just "compile and make check" on 
ossl 3.0.0 - but if you and Arne agree, this is definitely good enough 
for me :-)

Your patch has been applied to the master branch.

commit 31e200f807033ac27566bf37a8d9d32820600a83
Author: Selva Nair
Date:   Sat Oct 30 14:57:56 2021 -0400

     Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only)

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Message-Id: <20211030185756.1831-1-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23080.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 6b18551e..9d823add 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1063,6 +1063,9 @@  hmac_ctx_new(void)
     EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
     ctx->ctx = EVP_MAC_CTX_new(hmac);
     check_malloc_return(ctx->ctx);
+
+    EVP_MAC_free(hmac);
+
     return ctx;
 }