From: Theo Buehler <tb@theobuehler.org>
Subject: Re: [PATCH] libressl: fix memory leak in PKCS7_signatureVerify on error
To: Niels Dossche <dossche.niels@gmail.com>
Cc: tech@openbsd.org
Date: Tue, 18 Mar 2025 13:50:11 +0100

On Tue, Mar 18, 2025 at 01:41:27PM +0100, Niels Dossche wrote:
> Hi
> 
> This patch fixes a memory leak when an error occurs in PKCS7_signatureVerify in libressl.
> 
> This issue was found via an experimental static analyzer I'm working on,
> and I manually read the code to verify whether this is a real bug or not.

Thanks, committed (I don't think EVP_VerifyUpdate() can actually fail
here, but it surely isn't correct as it is written)

> 
> 
> ---------------------------------------------------------------------------
> diff --git a/pk7_doit.c b/pk7_doit.c
> index e1c075f..0844d23 100644
> --- a/pk7_doit.c
> +++ b/pk7_doit.c
> @@ -1067,8 +1067,10 @@ PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509)
>  			ret = -1;
>  			goto err;
>  		}
> -		if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
> +		if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) {
> +			free(abuf);
>  			goto err;
> +		}
>  
>  		free(abuf);
>  	}
>