Fix memory leak on error in pkcs7_get_signers_info_set
mbedtls_x509_name allocates memory, which must be freed if there is a
subsequent error.
Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/pkcs7.c b/library/pkcs7.c
index fc6dd33..e4238b6 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -387,7 +387,7 @@
ret = pkcs7_get_signer_info( p, end_set, signers_set );
if( ret != 0 )
- return( ret );
+ goto cleanup;
count++;
mbedtls_pkcs7_signer_info *prev = signers_set;
diff --git a/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der
new file mode 100644
index 0000000..51aef0d
--- /dev/null
+++ b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der
Binary files differ
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 5ecfb91..c329a77 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -65,6 +65,9 @@
pkcs7_get_signers_info_set error handling (6213931373035520)
pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+pkcs7_get_signers_info_set error handling (4541044530479104)
+pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
PKCS7 Only Signed Data Parse Pass #15
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA