[Opendnssec-develop] Fwd: [ldns-users] Memory leak in keys.c, ldns_key_new_frm_algorithm

Fri Jul 13 11:46:19 UTC 2012

Hi Matthijs,

Do you know if this memory leak affects OpenDNSSEC?

/Jerry

Begin forwarded message:
> 
> From: Michael Sheldon <msheldon at godaddy.com>
> Subject: [ldns-users] Memory leak in keys.c, ldns_key_new_frm_algorithm
> Date: July 11, 2012 19:12:00 GMT+02:00
> To: "ldns-users at open.nlnetlabs.nl" <ldns-users at open.nlnetlabs.nl>
> 
> There are two memory leaks in keys.c, ldns_key_new_frm_algorithm
> 
> The issue in the following is that ldns_key_set_rsa_key uses
> EVP_PKEY_set1_RSA(), which *copies* the RSA data, thus the original data
> must be freed by the calling application.
> 
> 00837                 case LDNS_SIGN_RSAMD5:
> 00838                 case LDNS_SIGN_RSASHA1:
> 00839                 case LDNS_SIGN_RSASHA1_NSEC3:
> 00840                 case LDNS_SIGN_RSASHA256:
> 00841                 case LDNS_SIGN_RSASHA512:
> 00842 #ifdef HAVE_SSL
> 00843                         r = RSA_generate_key((int)size, RSA_F4,
> NULL, NULL);
> 00844                         if(!r) {
> 00845                                 ldns_key_free(k);
> 00846                                 return NULL;
> 00847                         }
> 00848                         if (RSA_check_key(r) != 1) {
> 00849                                 ldns_key_free(k);
> 00850                                 return NULL;
> 00851                         }
> 00852                         ldns_key_set_rsa_key(k, r);
> 00853 #endif /* HAVE_SSL */
> 00854                         break;
> 
> The solution is to use RSA_free(r) after line 852.
> 
> The same issue applies in the following code. ldns_key_set_dsa_key uses
> EVP_PKEY_set1_DSA(), which *copies* the DSA data, thus the original data
> must be freed by the calling application.
> 
> 00855                 case LDNS_SIGN_DSA:
> 00856                 case LDNS_SIGN_DSA_NSEC3:
> 00857 #ifdef HAVE_SSL
> 00858                         d = DSA_generate_parameters((int)size,
> NULL, 0, NULL, NULL, NULL, NULL);
> 00859                         if (!d) {
> 00860                                 ldns_key_free(k);
> 00861                                 return NULL;
> 00862                         }
> 00863                         if (DSA_generate_key(d) != 1) {
> 00864                                 ldns_key_free(k);
> 00865                                 return NULL;
> 00866                         }
> 00867                         ldns_key_set_dsa_key(k, d);
> 00868 #endif /* HAVE_SSL */
> 00869                         break;
> 
> The solution is to use DSA_free(d) after line 867.
> 
> An alternative solution is to use EVP_PKEY_assign_RSA and
> EVP_PKEY_assign_DSA in place of EVP_PKEY_set1_RSA and EVP_PKEY_set1_DSA.
> The problem here is that it changes the existing behaviour of
> ldns_key_set_rsa_key and ldns_key_set_dsa_key, which developers may be
> calling.
> 
> Michael Sheldon
> Dev-DNS Services
> GoDaddy.com

--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/