diff options
author | Tom Atkinson <atkinson.tommy@nhome.ba> | 2017-03-28 14:14:05 +0200 |
---|---|---|
committer | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2017-03-29 03:14:55 +0900 |
commit | a6f94942b0ff617e5788e26261e863f512d713e1 (patch) | |
tree | 6ab1b5936faf227d0634147da0ee92e956b093e6 /src | |
parent | fd18243a50cba987063187b3ff95a2407ed348fa (diff) | |
download | android-node-v8-a6f94942b0ff617e5788e26261e863f512d713e1.tar.gz android-node-v8-a6f94942b0ff617e5788e26261e863f512d713e1.tar.bz2 android-node-v8-a6f94942b0ff617e5788e26261e863f512d713e1.zip |
crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.
Refs: https://github.com/nodejs/node/pull/9469
Fixes: https://github.com/nodejs/node/issues/12033
PR-URL: https://github.com/nodejs/node/pull/12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/node_crypto.cc | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 7698cf2062..5d93184ba6 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -2785,7 +2785,9 @@ inline bool CertIsStartComOrWoSign(X509_NAME* name) { startcom_wosign_data = dn.data; startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data, dn.len); - if (X509_NAME_cmp(name, startcom_wosign_name) == 0) + int cmp = X509_NAME_cmp(name, startcom_wosign_name); + X509_NAME_free(startcom_wosign_name); + if (cmp == 0) return true; } @@ -2830,8 +2832,10 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) { } X509* leaf_cert = sk_X509_value(chain, 0); - if (!CheckStartComOrWoSign(root_name, leaf_cert)) + if (!CheckStartComOrWoSign(root_name, leaf_cert)) { + sk_X509_pop_free(chain, X509_free); return CHECK_CERT_REVOKED; + } // When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV // ROOT CA, check a hash of its leaf cert if it is in the whitelist. |