Closed Bug 1591363 Opened 9 months ago Closed 8 months ago

PBKDF2 memory leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256)

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: guidovranken, Assigned: marcus.apb)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

Attached file pbkdf2_leak_poc.cpp

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

PBKDF2 with keysize > 256
See attached file.

Actual results:

Memory leak (NSSPKCS5PBEParameter allocated but not freed).

In NSC_GenerateKey, after NSSPKCS5PBEParameter has been allocated to pbe_param by nsc_SetupPBEKeyGen, the following checks return to caller without freeing pbe_param:

/* make sure we aren't going to overflow the buffer */
if (sizeof(buf) < key_length) {
    /* someone is getting pretty optimistic about how big their key can
     * be... */
    crv = CKR_TEMPLATE_INCONSISTENT;
}    

if (crv != CKR_OK) {
    goto loser;
} 

Expected results:

No memory leak.

Marcus, can you confirm/triage?

Flags: needinfo?(marcus.apb)

Sure. I will deal with this this tomorrow.

Flags: needinfo?(marcus.apb)

Confirmed. Sending a patch soon.

Assignee: nobody → marcus.apb
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Status: NEW → ASSIGNED

During the flow analysis, I could find another leak similar with the reported in this bug. Both were fixed in this patch.

Blocks: 1577624
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48

Fixup needed for coverity issue discovered upon uplift: https://phabricator.services.mozilla.com/D52779#1605218

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 8 months ago8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.