diff options
Diffstat (limited to 'CVE-2022-2906.patch')
| -rw-r--r-- | CVE-2022-2906.patch | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/CVE-2022-2906.patch b/CVE-2022-2906.patch new file mode 100644 index 0000000..a7a12eb --- /dev/null +++ b/CVE-2022-2906.patch @@ -0,0 +1,138 @@ +From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan <aram@isc.org> +Date: Thu, 18 Aug 2022 08:59:09 +0000 +Subject: [PATCH] Fix memory leaks in DH code + +When used with OpenSSL v3.0.0+, the `openssldh_compare()`, +`openssldh_paramcompare()`, and `openssldh_todns()` functions +fail to cleanup the used memory on some error paths. + +Use `DST_RET` instead of `return`, when there is memory to be +released before returning from the functions. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/73df5c80538970ee1fbc4fe3348109bdc281e197 + +(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9) +--- + lib/dns/openssldh_link.c | 45 +++++++++++++++++++++++----------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index 72b8209..ece97ea 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -68,6 +68,12 @@ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" + ++#define DST_RET(a) \ ++ { \ ++ ret = a; \ ++ goto err; \ ++ } ++ + static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; + + #if !HAVE_DH_GET0_KEY +@@ -180,7 +186,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static bool + openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +@@ -202,23 +209,24 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || + BN_cmp(pub_key1, pub_key2) != 0) + { +- return (false); ++ DST_RET(false); + } + + if (priv_key1 != NULL || priv_key2 != NULL) { +- if (priv_key1 == NULL || priv_key2 == NULL) { +- return (false); +- } +- if (BN_cmp(priv_key1, priv_key2) != 0) { +- return (false); ++ if (priv_key1 == NULL || priv_key2 == NULL || ++ BN_cmp(priv_key1, priv_key2) != 0) { ++ DST_RET(false); + } + } +- return (true); ++ ++err: ++ return (ret); + } + + static bool + openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; + + dh1 = key1->keydata.dh; +@@ -234,9 +242,11 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + DH_get0_pqg(dh2, &p2, NULL, &g2); + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { +- return (false); ++ DST_RET(false); + } +- return (true); ++ ++err: ++ return (ret); + } + + static int +@@ -386,7 +396,8 @@ uint16_fromregion(isc_region_t *region) { + + static isc_result_t + openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +- DH *dh; ++ isc_result_t ret = ISC_R_SUCCESS; ++ DH *dh; + const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + isc_region_t r; + uint16_t dnslen, plen, glen, publen; +@@ -412,7 +423,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + publen = BN_num_bytes(pub_key); + dnslen = plen + glen + publen + 6; + if (r.length < (unsigned int)dnslen) { +- return (ISC_R_NOSPACE); ++ DST_RET(ISC_R_NOSPACE); + } + + uint16_toregion(plen, &r); +@@ -441,7 +452,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_add(data, dnslen); + +- return (ISC_R_SUCCESS); ++err: ++ return (ret); + } + + static isc_result_t +@@ -659,11 +671,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DH *dh = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; + isc_mem_t *mctx; +-#define DST_RET(a) \ +- { \ +- ret = a; \ +- goto err; \ +- } + + UNUSED(pub); + mctx = key->mctx; +-- +2.23.0 + |