Skip to content

Commit

Permalink
crypto: fix memory leak if certificate is revoked
Browse files Browse the repository at this point in the history
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
  • Loading branch information
Tom Atkinson authored and MylesBorins committed Mar 29, 2017
1 parent 5fddbf2 commit 9d7fba4
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2693,7 +2693,9 @@ inline bool CertIsStartComOrWoSign(X509_NAME* name) {
startcom_wosign_data = dn.data;
startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data,
dn.len);
if (X509_NAME_cmp(name, startcom_wosign_name) == 0)
int cmp = X509_NAME_cmp(name, startcom_wosign_name);
X509_NAME_free(startcom_wosign_name);
if (cmp == 0)
return true;
}

Expand Down Expand Up @@ -2738,8 +2740,10 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
}

X509* leaf_cert = sk_X509_value(chain, 0);
if (!CheckStartComOrWoSign(root_name, leaf_cert))
if (!CheckStartComOrWoSign(root_name, leaf_cert)) {
sk_X509_pop_free(chain, X509_free);
return CHECK_CERT_REVOKED;
}

// When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV
// ROOT CA, check a hash of its leaf cert if it is in the whitelist.
Expand Down

0 comments on commit 9d7fba4

Please sign in to comment.