Fix memory leaks in X509 certificate parsing/verification.

2025-10-04 15:48:19 +00:00 · 2014-05-06 20:50:37 -05:00 · 2014-05-06 20:50:37 -05:00 · 6277be6e60
commit 6277be6e60
parent 37b860d325
2 changed files with 20 additions and 9 deletions
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@ -153,6 +153,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 		unsigned int length = KeyLength(pkey);
 		if ( length > 0 )
 			pX509Cert->Assign(9, new Val(length, TYPE_COUNT));
+
+		EVP_PKEY_free(pkey);
 		}


@ -273,6 +275,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		vl->append(pBasicConstraint);

 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
+		BASIC_CONSTRAINTS_free(constr);
 		}

 	else
@ -387,6 +390,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 		vl->append(GetFile()->GetVal()->Ref());
 		vl->append(sanExt);
 		mgr.QueueEvent(x509_ext_subject_alternative_name, vl);
+	GENERAL_NAMES_free(altname);
 	}

 StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
@ -442,13 +446,20 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 			return 0;

 		const EC_GROUP *group = EC_KEY_get0_group(key->pkey.ec);
+
 		if ( ! group )
+			{
 			// unknown ex-group
+			BN_free(ec_order);
 			return 0;
+			}

 		if ( ! EC_GROUP_get_order(group, ec_order, NULL) )
+			{
 			// could not get ec-group-order
+			BN_free(ec_order);
 			return 0;
+			}

 		unsigned int length = BN_num_bits(ec_order);
 		BN_free(ec_order);
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@ -179,7 +179,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
 		if ( ! x )
 			{
-			sk_X509_pop(untrusted_certs);
+			sk_X509_free(untrusted_certs);
 			builtin_error(fmt("No certificate in opaque in stack"));
 			return x509_error_record(-1, "No certificate in opaque");
 			}
@ -203,6 +203,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		if ( ! chain )
 			{
 			reporter->Error("Encountered valid chain that could not be resolved");
+			sk_X509_pop_free(chain, X509_free);
 			goto x509_verify_chainerror;
 			}

@ -212,22 +213,21 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		for ( int i = 0; i < num_certs; i++ )
 			{
 			X509* currcert = sk_X509_value(chain, i);
-			if ( !currcert )
-				{
-				reporter->InternalError("OpenSSL returned null certificate");
-				goto x509_verify_chainerror;
-				}

-			chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+			if ( currcert )
+				chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+			else
+				reporter->InternalWarning("OpenSSL returned null certificate");
 			}
+
+		sk_X509_free(chain);
 		}

 x509_verify_chainerror:

 	X509_STORE_CTX_cleanup(&csc);

-	if ( untrusted_certs )
-		sk_X509_pop(untrusted_certs);
+	sk_X509_free(untrusted_certs);

 	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);