krb5 commit: Don't leak PKINIT CMS signed data certs and CRLs
Greg Hudson
ghudson at MIT.EDU
Mon Jul 15 11:20:10 EDT 2013
https://github.com/krb5/krb5/commit/04444a2606e3db92e66d74e29bef9103452f2cee
commit 04444a2606e3db92e66d74e29bef9103452f2cee
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Wed Jul 10 22:17:58 2013 -0400
Don't leak PKINIT CMS signed data certs and CRLs
The stacks of certificates and CRLs that we retrieve from CMS objects
include newly-owned references to the certificates and CRLs, so when we
go to free them, we need to remember to free those.
[ghudson at mit.edu: minor formatting change; removed unrelated style fix]
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index ae4efc3..29c4f57 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -177,8 +177,10 @@ pkinit_pkcs11_code_to_text(int err);
#include <openssl/cms.h>
#define pkinit_CMS_get0_content_signed(_cms) CMS_get0_content(_cms)
#define pkinit_CMS_get0_content_data(_cms) CMS_get0_content(_cms)
-#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl))
-#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509))
+#define pkinit_CMS_free1_crls(_sk_x509crl) \
+ sk_X509_CRL_pop_free((_sk_x509crl), X509_CRL_free)
+#define pkinit_CMS_free1_certs(_sk_x509) \
+ sk_X509_pop_free((_sk_x509), X509_free)
#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) \
CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL)
#else
More information about the cvs-krb5
mailing list