call-rsa: free modulus buffers on error paths.

* MPI_CHK jumps to cleanup on ret != 0, so p_q_modulus is never freed if
  rsa_gen_key fails (detected via scan-build).
* modulus_calc never freed its modulus buffer on error.

Signed-off-by: Anthony Romano <anthony.romano@coreos.com>

ChangeLog

@@ -1,3 +1,12 @@
+2017-07-18  Anthony Romano <anthony.romano@coreos.com>
+
+	* src/call-rsa.c (modulus_calc): Free modulus on error.
+	(rsa_genkey): Remove bogus check, and call chopstx_cleanup_pop
+	with 1 to release p_q_modulus on error.  Assign NULL to clp.arg
+	when it's goes with no error.
+
+	* src/main.c (gnuk_free): Allow NULL.
+
 2017-07-18  NIIBE Yutaka  <gniibe@fsij.org>
 
 	* Update chopstx (with USBIP emulation).

src/call-rsa.c

@@ -130,8 +130,10 @@ modulus_calc (const uint8_t *p, int len)
  cleanup:
   mpi_free (&P);  mpi_free (&Q);  mpi_free (&N);
   if (ret != 0)
+    {
+      free (modulus);
       return NULL;
-  else
+    }
   return modulus;
 }
 
@@ -261,23 +263,14 @@ rsa_genkey (int pubkey_len)
   cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
   MPI_CHK( rsa_gen_key (&rsa_ctx, random_gen, &index, pubkey_len * 8,
 			RSA_EXPONENT) );
-  if (ret != 0)
-    {
-      chopstx_setcancelstate (cs);
-      chopstx_cleanup_pop (0);
-      free (p_q_modulus);
-      rsa_free (&rsa_ctx);
-      return NULL;
-    }
-
   MPI_CHK( mpi_write_binary (&rsa_ctx.P, p, pubkey_len / 2) );
   MPI_CHK( mpi_write_binary (&rsa_ctx.Q, q, pubkey_len / 2) );
   MPI_CHK( mpi_write_binary (&rsa_ctx.N, modulus, pubkey_len) );
+  clp.arg = NULL;
 
  cleanup:
   chopstx_setcancelstate (cs);
-  chopstx_cleanup_pop (0);
+  chopstx_cleanup_pop (1);
-  rsa_free (&rsa_ctx);
   if (ret != 0)
       return NULL;
   else

src/main.c

@@ -457,6 +457,9 @@ gnuk_free (void *p)
   struct mem_head *m = (struct mem_head *)((void *)p - sizeof (uint32_t));
   struct mem_head *m0;
 
+  if (p == NULL)
+    return;
+
   chopstx_mutex_lock (&malloc_mtx);
   m0 = free_list;
   DEBUG_INFO ("free: ");