gpg: Fix memory leak in sig-check.
authorWerner Koch <wk@gnupg.org>
Thu, 24 Aug 2017 18:26:19 +0000 (20:26 +0200)
committerWerner Koch <wk@gnupg.org>
Thu, 24 Aug 2017 18:26:19 +0000 (20:26 +0200)
* g10/sig-check.c (check_signature_over_key_or_uid): Remove useless
condition.  Actually free when SIGNER was allocated by us.
--

SIGNER_ALLOCATED never received a value of -1 but that was tested.

IF SIGNER_ALLOCATED was 2 the memory was never freed:

  if (signer_allocated == 1)
    if (signer_allocated == 2)
      free()

Fixes-commit: 44cdb9d73f1a0b7d2c8483a119b9c4d6caabc1ec

This function needs to be audited more thoroughly.

Signed-off-by: Werner Koch <wk@gnupg.org>
g10/sig-check.c

index a4ef142..23af12b 100644 (file)
@@ -878,6 +878,9 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
               if (ret_pk)
                 {
                   signer = ret_pk;
+                  /* FIXME: Using memset here is probematic because it
+                   * assumes that there are no allocated fields in
+                   * SIGNER.  */
                   memset (signer, 0, sizeof (*signer));
                   signer_alloced = 1;
                 }
@@ -956,10 +959,10 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
   gcry_md_close (md);
 
  leave:
-  if (! rc && ret_pk && (signer_alloced == -1 || ret_pk != signer))
+  if (! rc && ret_pk && ret_pk != signer)
     copy_public_key (ret_pk, signer);
 
-  if (signer_alloced == 1)
+  if (signer_alloced)
     {
       /* We looked up SIGNER; it is not a pointer into KB.  */
       release_public_key_parts (signer);