forked from osmocom/wireshark
quic: fix secret memleaks.
It looks like that quic_create_cleartext_decoders() need to free secrets, tls13_cipher_create() only use it as const. ASAN report: ERROR: LeakSanitizer: detected memory leaks Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4e26e8 in __interceptor_malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x225b038 in g_malloc #2 0x1742014 in quic_derive_cleartext_secrets /src/wireshark/epan/dissectors/packet-quic.c:1071:10 #3 0x173e579 in quic_create_cleartext_decoders /src/wireshark/epan/dissectors/packet-quic.c:1091:10 #4 0x173dc89 in dissect_quic_long_header /src/wireshark/epan/dissectors/packet-quic.c:1221:14 #5 0x173ced6 in dissect_quic /src/wireshark/epan/dissectors/packet-quic.c:1402:18 (...) Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4e26e8 in __interceptor_malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x225b038 in g_malloc #2 0x1741fd5 in quic_derive_cleartext_secrets /src/wireshark/epan/dissectors/packet-quic.c:1065:10 #3 0x173e579 in quic_create_cleartext_decoders /src/wireshark/epan/dissectors/packet-quic.c:1091:10 #4 0x173dc89 in dissect_quic_long_header /src/wireshark/epan/dissectors/packet-quic.c:1221:14 #5 0x173ced6 in dissect_quic /src/wireshark/epan/dissectors/packet-quic.c:1402:18 (...) Found by oss-fuzz/5902. Change-Id: I6f8a4597411ee267773225e45043addb69928d66 Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5902 Reviewed-on: https://code.wireshark.org/review/25571 Petri-Dish: Jakub Zawadzki <darkjames-ws@darkjames.pl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This commit is contained in:
parent
f244742b46
commit
e3a7676186
|
@ -1070,7 +1070,7 @@ quic_derive_cleartext_secrets(guint64 cid,
|
|||
|
||||
if (!tls13_hkdf_expand_label(tls13_draft_version, GCRY_MD_SHA256, &secret, server_label,
|
||||
"", HASH_SHA2_256_LENGTH, server_cleartext_secret)) {
|
||||
wmem_free(NULL, client_cleartext_secret);
|
||||
wmem_free(NULL, *client_cleartext_secret);
|
||||
*client_cleartext_secret = NULL;
|
||||
*error = "Key expansion (server) failed";
|
||||
return FALSE;
|
||||
|
@ -1096,6 +1096,10 @@ quic_create_cleartext_decoders(guint64 cid, const gchar **error, quic_info_data_
|
|||
/* Cleartext packets are protected with AEAD_AES_128_GCM */
|
||||
client_cipher = tls13_cipher_create(QUIC_TLS13_VERSION, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_GCM, GCRY_MD_SHA256, &client_secret, error);
|
||||
server_cipher = tls13_cipher_create(QUIC_TLS13_VERSION, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_GCM, GCRY_MD_SHA256, &server_secret, error);
|
||||
|
||||
wmem_free(NULL, client_secret.data);
|
||||
wmem_free(NULL, server_secret.data);
|
||||
|
||||
if (!client_cipher || !server_cipher) {
|
||||
return FALSE;
|
||||
}
|
||||
|
|
|
@ -3022,7 +3022,7 @@ tls13_cipher_destroy_cb(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _
|
|||
}
|
||||
|
||||
tls13_cipher *
|
||||
tls13_cipher_create(guint8 tls13_draft_version, int cipher_algo, int cipher_mode, int hash_algo, StringInfo *secret, const gchar **error)
|
||||
tls13_cipher_create(guint8 tls13_draft_version, int cipher_algo, int cipher_mode, int hash_algo, const StringInfo *secret, const gchar **error)
|
||||
{
|
||||
tls13_cipher *cipher = NULL;
|
||||
guchar *write_key = NULL, *write_iv = NULL;
|
||||
|
|
|
@ -643,7 +643,7 @@ ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, guint8 ct, guint
|
|||
* and mode are Libgcrypt identifiers.
|
||||
*/
|
||||
tls13_cipher *
|
||||
tls13_cipher_create(guint8 tls13_draft_version, int cipher_algo, int cipher_mode, int hash_algo, StringInfo *secret, const gchar **error);
|
||||
tls13_cipher_create(guint8 tls13_draft_version, int cipher_algo, int cipher_mode, int hash_algo, const StringInfo *secret, const gchar **error);
|
||||
|
||||
/*
|
||||
* Calculate HKDF-Extract(salt, IKM) -> PRK according to RFC 5869.
|
||||
|
|
Loading…
Reference in New Issue