Skip to content
This repository has been archived by the owner on Mar 4, 2020. It is now read-only.

Commit

Permalink
crypto: fix memory leak if certificate is revoked
Browse files Browse the repository at this point in the history
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: nodejs/node#9469
Fixes: nodejs/node#12033
PR-URL: nodejs/node#12089
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
  • Loading branch information
Tom Atkinson authored and kevinsawicki committed May 16, 2017
1 parent 943cb37 commit 9b1683e
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2767,7 +2767,9 @@ inline bool CertIsStartComOrWoSign(X509_NAME* name) {
startcom_wosign_data = dn.data;
startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data,
dn.len);
if (X509_NAME_cmp(name, startcom_wosign_name) == 0)
int cmp = X509_NAME_cmp(name, startcom_wosign_name);
X509_NAME_free(startcom_wosign_name);
if (cmp == 0)
return true;
}

Expand Down Expand Up @@ -2812,8 +2814,10 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
}

X509* leaf_cert = sk_X509_value(chain, 0);
if (!CheckStartComOrWoSign(root_name, leaf_cert))
if (!CheckStartComOrWoSign(root_name, leaf_cert)) {
sk_X509_pop_free(chain, X509_free);
return CHECK_CERT_REVOKED;
}

// When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV
// ROOT CA, check a hash of its leaf cert if it is in the whitelist.
Expand Down

0 comments on commit 9b1683e

Please sign in to comment.