commit 259de40640507d6b750db99db49d176ff5adac62
author Gaurav Shah <gauravsh@chromium.org> Fri Mar 12 17:42:03 2010 -0800
committer Gaurav Shah <gauravsh@chromium.org> Fri Mar 12 17:42:03 2010 -0800
tree f044d8570dc1a7f44a64dd1608df22e76e582e76
parent 48ed9b87eb1a8d09523778ee5005111bc0662a34

VBoot Reference: Fix many memory leaks.

Fix memory leaks found using Valgrind, adds sanity checking to RSAPublicKey parsing code to prevent crazy behavior.

Review URL: http://codereview.chromium.org/858008

crypto/rsa_utility.c

diff --git a/crypto/rsa_utility.c b/crypto/rsa_utility.c
index e0071c1..9b419d0 100644
--- a/crypto/rsa_utility.c
+++ b/crypto/rsa_utility.c
@@ -20,6 +20,13 @@
   return (2 * key_len + sizeof(int) + sizeof(uint32_t));
 }
 
+RSAPublicKey* RSAPublicKeyNew(void) {
+  RSAPublicKey* key = (RSAPublicKey*) Malloc(sizeof(RSAPublicKey));
+  key->n = NULL;
+  key->rr = NULL;
+  return key;
+}
+
 void RSAPublicKeyFree(RSAPublicKey* key) {
   if (key) {
     Free(key->n);
@@ -29,15 +36,24 @@
 }
 
 RSAPublicKey* RSAPublicKeyFromBuf(const uint8_t* buf, int len) {
-  RSAPublicKey* key = (RSAPublicKey*) Malloc(sizeof(RSAPublicKey));
+  RSAPublicKey* key = RSAPublicKeyNew();
   MemcpyState st;
   int key_len;
 
   st.remaining_buf = (uint8_t*) buf;
   st.remaining_len = len;
-
   StatefulMemcpy(&st, &key->len, sizeof(key->len));
   key_len = key->len * sizeof(uint32_t);  /* key length in bytes. */
+
+  /* Sanity Check the key length. */
+  if (RSA1024NUMBYTES != key_len &&
+      RSA2048NUMBYTES != key_len &&
+      RSA4096NUMBYTES != key_len &&
+      RSA8192NUMBYTES != key_len) {
+    RSAPublicKeyFree(key);
+    return NULL;
+  }
+
   key->n = (uint32_t*) Malloc(key_len);
   key->rr = (uint32_t*) Malloc(key_len);
 
@@ -45,9 +61,7 @@
   StatefulMemcpy(&st, key->n, key_len);
   StatefulMemcpy(&st, key->rr, key_len);
   if (st.remaining_len != 0) {  /* Underrun or overrun. */
-    Free(key->n);
-    Free(key->rr);
-    Free(key);
+    RSAPublicKeyFree(key);
     return NULL;
   }