Skip to content

memory resource leaks in yubihsm-shell CLI tool  #88

Closed
#92
Closed
memory resource leaks in yubihsm-shell CLI tool #88
#92
@invd

Description

@invd
invd
opened on Jul 18, 2020

Part no. 1

During recent fuzzing of yubihsm-shell, I've noticed that the following memory allocated in the main() is not properly free'd in the cleanup phase:

yubihsm-shell/src/main.c

Line 1791 in 130a1cf

ctx.connector_list = calloc(1, sizeof(char *));

yubihsm-shell/src/main.c

Line 1798 in 130a1cf

ctx.connector_list[0] = strdup(LOCAL_CONNECTOR_URL);

The main_exit section doesn't touch it:

yubihsm-shell/src/main.c

Lines 2718 to 2733 in 130a1cf

main_exit:
cmdline_parser_free(&args_info);
if (ctx.out != stdout && ctx.out != NULL) {
fclose(ctx.out);
}
if (ctx.cacert) {
free(ctx.cacert);
}
if (ctx.proxy) {
free(ctx.proxy);
}
yh_exit();

Part no. 2

While looking at the pcc_failure cleanup section of the related parse_configured_connectors() function, I've noticed the following line, which I think is flawed and also leads to some resource leakage:

yubihsm-shell/src/main.c

Line 1713 in 130a1cf

ctx->connector_list = NULL;

It doesn't make sense to overwrite ctx->connector_list multiple times with NULL and then try to free() it.
The line should probably have been ctx->connector_list[i] = NULL;

Comment

Given the context, I do not consider either issue security related. The functional impact of the leaks is likely also low for regular CLI operation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions