From a51ac8593b33405891b8192a5bd559af6764f45d Mon Sep 17 00:00:00 2001
From: Anthony Romano <anthony.romano@coreos.com>
Date: Sun, 16 Jul 2017 19:36:34 -0700
Subject: [PATCH] call-rsa: free modulus buffers on error paths.

* MPI_CHK jumps to cleanup on ret != 0, so p_q_modulus is never freed if
  rsa_gen_key fails (detected via scan-build).
* modulus_calc never freed its modulus buffer on error.

Signed-off-by: Anthony Romano <anthony.romano@coreos.com>
---
 ChangeLog      |  9 +++++++++
 src/call-rsa.c | 21 +++++++--------------
 src/main.c     |  3 +++
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e51b15f..9aec6c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2017-07-18  Anthony Romano <anthony.romano@coreos.com>
+
+	* src/call-rsa.c (modulus_calc): Free modulus on error.
+	(rsa_genkey): Remove bogus check, and call chopstx_cleanup_pop
+	with 1 to release p_q_modulus on error.  Assign NULL to clp.arg
+	when it's goes with no error.
+
+	* src/main.c (gnuk_free): Allow NULL.
+
 2017-07-18  NIIBE Yutaka  <gniibe@fsij.org>
 
 	* Update chopstx (with USBIP emulation).
diff --git a/src/call-rsa.c b/src/call-rsa.c
index 9800462..87a263c 100644
--- a/src/call-rsa.c
+++ b/src/call-rsa.c
@@ -130,9 +130,11 @@ modulus_calc (const uint8_t *p, int len)
  cleanup:
   mpi_free (&P);  mpi_free (&Q);  mpi_free (&N);
   if (ret != 0)
-    return NULL;
-  else
-    return modulus;
+    {
+      free (modulus);
+      return NULL;
+    }
+  return modulus;
 }
 
 
@@ -261,23 +263,14 @@ rsa_genkey (int pubkey_len)
   cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
   MPI_CHK( rsa_gen_key (&rsa_ctx, random_gen, &index, pubkey_len * 8,
 			RSA_EXPONENT) );
-  if (ret != 0)
-    {
-      chopstx_setcancelstate (cs);
-      chopstx_cleanup_pop (0);
-      free (p_q_modulus);
-      rsa_free (&rsa_ctx);
-      return NULL;
-    }
-
   MPI_CHK( mpi_write_binary (&rsa_ctx.P, p, pubkey_len / 2) );
   MPI_CHK( mpi_write_binary (&rsa_ctx.Q, q, pubkey_len / 2) );
   MPI_CHK( mpi_write_binary (&rsa_ctx.N, modulus, pubkey_len) );
+  clp.arg = NULL;
 
  cleanup:
   chopstx_setcancelstate (cs);
-  chopstx_cleanup_pop (0);
-  rsa_free (&rsa_ctx);
+  chopstx_cleanup_pop (1);
   if (ret != 0)
       return NULL;
   else
diff --git a/src/main.c b/src/main.c
index d4451eb..5e48bad 100644
--- a/src/main.c
+++ b/src/main.c
@@ -457,6 +457,9 @@ gnuk_free (void *p)
   struct mem_head *m = (struct mem_head *)((void *)p - sizeof (uint32_t));
   struct mem_head *m0;
 
+  if (p == NULL)
+    return;
+
   chopstx_mutex_lock (&malloc_mtx);
   m0 = free_list;
   DEBUG_INFO ("free: ");