Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory resource leaks in yubihsm-shell CLI tool #88

invd opened this issue Jul 18, 2020 · 2 comments · Fixed by #92

memory resource leaks in yubihsm-shell CLI tool #88

invd opened this issue Jul 18, 2020 · 2 comments · Fixed by #92


Copy link

invd commented Jul 18, 2020

Part no. 1

During recent fuzzing of yubihsm-shell, I've noticed that the following memory allocated in the main() is not properly free'd in the cleanup phase:

ctx.connector_list = calloc(1, sizeof(char *));

ctx.connector_list[0] = strdup(LOCAL_CONNECTOR_URL);

The main_exit section doesn't touch it:


Lines 2718 to 2733 in 130a1cf

if (ctx.out != stdout && ctx.out != NULL) {
if (ctx.cacert) {
if (ctx.proxy) {

Part no. 2

While looking at the pcc_failure cleanup section of the related parse_configured_connectors() function, I've noticed the following line, which I think is flawed and also leads to some resource leakage:

ctx->connector_list = NULL;

It doesn't make sense to overwrite ctx->connector_list multiple times with NULL and then try to free() it.
The line should probably have been ctx->connector_list[i] = NULL;


Given the context, I do not consider either issue security related. The functional impact of the leaks is likely also low for regular CLI operation.

Copy link

nevun commented Aug 12, 2020

Thank you for the report. You are correct that this is a memory leak and no 2 is for sure a mistake.

Would you agree the following patch fixes it?

diff --git a/src/main.c b/src/main.c
index 7e488ad..1431ea7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1710,7 +1710,7 @@ static int parse_configured_connectors(yubihsm_context *ctx, char **connectors,
   for (int i = 0; i < ctx->n_connectors; i++) {
-    ctx->connector_list = NULL;
+    ctx->connector_list[i] = NULL;
@@ -2737,5 +2737,14 @@ main_exit:
   ctx.state = NULL;
+  if (ctx.connector_list != NULL) {
+    for (int i = 0; i < ctx.n_connectors; i++) {
+      free(ctx.connector_list[i]);
+      ctx.connector_list[i] = NULL;
+    }
+    free(ctx.connector_list);
+    ctx.connector_list = NULL;
+  }
   return rc;

Copy link

invd commented Aug 12, 2020

I think ctx.n_connectors = 0; can be added to the second part of the patch, otherwise things look good.
I'll test the exact code in the next days.

@klali klali closed this as completed in 3e54e43 Aug 17, 2020
klali added a commit that referenced this issue Aug 17, 2020
fixes issue from #88 since I was to quick in merging #92
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging a pull request may close this issue.

2 participants