packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bind/backport-CVE-2022-2906.patch
JofDiamonds 133ba0f52a fix CVE-2022-2906CVE-2022-38177CVE-2022-38178CVE-2022-2795CVE-2022-2881 
Signed-off-by: huangyu <huangyu106@huawei.com>
2022-10-11 16:05:45 +08:00

122 lines
3.6 KiB
Diff
Raw Blame History

From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Thu, 18 Aug 2022 08:59:09 +0000
Subject: [PATCH] Fix memory leaks in DH code
When used with OpenSSL v3.0.0+, the `openssldh_compare()`,
`openssldh_paramcompare()`, and `openssldh_todns()` functions
fail to cleanup the used memory on some error paths.
Use `DST_RET` instead of `return`, when there is memory to be
released before returning from the functions.
(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9)
---
lib/dns/openssldh_link.c | 34 ++++++++++++++++++++--------------
1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 30de343..2af1d30 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -68,6 +68,7 @@
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
+#define DST_RET(a) {ret = a; goto err;}
static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
@@ -186,7 +187,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
static bool
openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- DH *dh1, *dh2;
+ bool ret = true;
+ DH *dh1, *dh2;
const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
@@ -206,20 +208,21 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
BN_cmp(pub_key1, pub_key2) != 0)
- return (false);
+ DST_RET(false);
if (priv_key1 != NULL || priv_key2 != NULL) {
- if (priv_key1 == NULL || priv_key2 == NULL)
- return (false);
- if (BN_cmp(priv_key1, priv_key2) != 0)
- return (false);
+ if (priv_key1 == NULL || priv_key2 == NULL ||
+ BN_cmp(priv_key1, priv_key2) != 0)
+ DST_RET(false);
}
- return (true);
+err:
+ return (ret);
}
static bool
openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
- DH *dh1, *dh2;
+ bool ret = true;
+ DH *dh1, *dh2;
const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
dh1 = key1->keydata.dh;
@@ -234,8 +237,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
DH_get0_pqg(dh2, &p2, NULL, &g2);
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0)
- return (false);
- return (true);
+ DST_RET(false);
+
+err:
+ return (ret);
}
#if OPENSSL_VERSION_NUMBER > 0x00908000L
@@ -393,7 +398,8 @@ uint16_fromregion(isc_region_t *region) {
static isc_result_t
openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- DH *dh;
+ isc_result_t ret = ISC_R_SUCCESS;
+ DH *dh;
const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
isc_region_t r;
uint16_t dnslen, plen, glen, publen;
@@ -420,7 +426,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
publen = BN_num_bytes(pub_key);
dnslen = plen + glen + publen + 6;
if (r.length < (unsigned int) dnslen)
- return (ISC_R_NOSPACE);
+ DST_RET(ISC_R_NOSPACE);
uint16_toregion(plen, &r);
if (plen == 1) {
@@ -445,7 +451,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
isc_buffer_add(data, dnslen);
- return (ISC_R_SUCCESS);
+err:
+ return (ret);
}
static isc_result_t
@@ -659,7 +666,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
DH *dh = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
isc_mem_t *mctx;
-#define DST_RET(a) {ret = a; goto err;}
UNUSED(pub);
mctx = key->mctx;
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink