[Opendnssec-develop] Fwd: [ldns-users] Memory leak in keys.c, ldns_key_new_frm_algorithm
Matthijs Mekking
matthijs at nlnetlabs.nl
Mon Jul 16 12:08:08 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It does not. OpenDNSSEC does not depend on the openssl parts of ldns.
Best regards,
Matthijs
On 07/13/2012 01:46 PM, Jerry Lundström wrote:
> Hi Matthijs,
>
> Do you know if this memory leak affects OpenDNSSEC?
>
> /Jerry
>
> Begin forwarded message:
>>
>> From: Michael Sheldon <msheldon at godaddy.com> Subject:
>> [ldns-users] Memory leak in keys.c, ldns_key_new_frm_algorithm
>> Date: July 11, 2012 19:12:00 GMT+02:00 To:
>> "ldns-users at open.nlnetlabs.nl" <ldns-users at open.nlnetlabs.nl>
>>
>> There are two memory leaks in keys.c, ldns_key_new_frm_algorithm
>>
>> The issue in the following is that ldns_key_set_rsa_key uses
>> EVP_PKEY_set1_RSA(), which *copies* the RSA data, thus the
>> original data must be freed by the calling application.
>>
>> 00837 case LDNS_SIGN_RSAMD5: 00838
>> case LDNS_SIGN_RSASHA1: 00839 case
>> LDNS_SIGN_RSASHA1_NSEC3: 00840 case
>> LDNS_SIGN_RSASHA256: 00841 case
>> LDNS_SIGN_RSASHA512: 00842 #ifdef HAVE_SSL 00843
>> r = RSA_generate_key((int)size, RSA_F4, NULL, NULL); 00844
>> if(!r) { 00845 ldns_key_free(k);
>> 00846 return NULL; 00847
>> } 00848 if (RSA_check_key(r) != 1) {
>> 00849 ldns_key_free(k); 00850
>> return NULL; 00851 } 00852
>> ldns_key_set_rsa_key(k, r); 00853 #endif /* HAVE_SSL */ 00854
>> break;
>>
>> The solution is to use RSA_free(r) after line 852.
>>
>> The same issue applies in the following code.
>> ldns_key_set_dsa_key uses EVP_PKEY_set1_DSA(), which *copies* the
>> DSA data, thus the original data must be freed by the calling
>> application.
>>
>> 00855 case LDNS_SIGN_DSA: 00856
>> case LDNS_SIGN_DSA_NSEC3: 00857 #ifdef HAVE_SSL 00858
>> d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL,
>> NULL); 00859 if (!d) { 00860
>> ldns_key_free(k); 00861 return
>> NULL; 00862 } 00863
>> if (DSA_generate_key(d) != 1) { 00864
>> ldns_key_free(k); 00865 return
>> NULL; 00866 } 00867
>> ldns_key_set_dsa_key(k, d); 00868 #endif /* HAVE_SSL */ 00869
>> break;
>>
>> The solution is to use DSA_free(d) after line 867.
>>
>> An alternative solution is to use EVP_PKEY_assign_RSA and
>> EVP_PKEY_assign_DSA in place of EVP_PKEY_set1_RSA and
>> EVP_PKEY_set1_DSA. The problem here is that it changes the
>> existing behaviour of ldns_key_set_rsa_key and
>> ldns_key_set_dsa_key, which developers may be calling.
>>
>> Michael Sheldon Dev-DNS Services GoDaddy.com
>
>
> -- Jerry Lundström - OpenDNSSEC Developer
> http://www.opendnssec.org/
>
> _______________________________________________ Opendnssec-develop
> mailing list Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQBAQlAAoJEA8yVCPsQCW54HoIANMrIofTYQH50drK2qcEWqxb
4t3HJ+IWKsf6O2MGQEuAXx3e5oEEk8FpjLPtMS2tqzN58MTEgqleW1C5n8OVr/hE
alOzg1GN1FICYv2jBPzhaMQYQDIZv5si6+0vDhS+7QpU3NFAVaVZO9YF3COZebw4
uSGuN5ocQv5ydY78CWcRxSYRAhlwU5ou1TH/Id+MHhyfXwgBrJBc09aFChJQCPkI
8BgjHv/xaSqsdrJTnccdgvjzY6RzrQDA3h0vKQmyXuZe4UKKE5obrIham/ccNhFf
VJVKZzrJCl8j93qyjSHrR3rG5OYb3i4/7Kivl3gBDdthMVjmYxqh5MqR/OsfwBQ=
=to9j
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list