Skip to content

[r1.30] CDRIVER-3228 fix memory leaks in SChannel cert loading (#2009) #2015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 19, 2025
Merged

[r1.30] CDRIVER-3228 fix memory leaks in SChannel cert loading (#2009) #2015

merged 3 commits into from
May 19, 2025

Conversation

kevinAlbs
Copy link
Collaborator

Backport of #2009 to r1.30 branch. Commits in CDRIVER-5743 are also backported to avoid a merge conflict. Tested with this patch.

mdbmes and others added 3 commits May 16, 2025 12:46
@kevinAlbs
CDRIVER-5743: NUL terminate string, handle more error cases (mongodb#…
76dd846 
…1903)

* NUL termination and error handling fixes for mongoc_secure_channel_setup_ca
@kevinAlbs
CDRIVER-5743 Followup fix for signedness warning (mongodb#1907)
eed3e03
@kevinAlbs @eramongodb
CDRIVER-3228 fix memory leaks in SChannel cert loading (mongodb#2009)
2ebce0d 
* Store and free client cert context
* Free on successful load of client cert
** Do not return before `fail` label.
* Free `hKey`
* Free pem file and cert when loading CA file
* Release provider context on error
* NUL terminate pem file contents
** To ensure `strstr` does not read past memory on failure to find.
* Remove unused printf
* Add `read_file_and_null_terminate` helper
* Rename `encrypted_*` to `encoded_*`
** Encrypted keys are not supported with SChannel.
** "encoded" is consistent with naming in WinCrypt API.
* check if `pem_public` is NULL
** Avoids NULL deref if PEM file does not have public cert
* Remove call to `CryptQueryObject` for public cert
** The flag `CERT_QUERY_CONTENT_FLAG_ALL`  is likely incorrect (only certificate is expected)
* Remove call to `CryptQueryObject` for CRL
** Return was wrongly stored in a `CERT_CONTEXT` (needed `CRL_CONTEXT`).
** Use `CertCreateCRLContext` for consistency with other PEM-reading functions.
* Remove unused params

---------

Co-authored-by: Ezra Chung <[email protected]>
@kevinAlbs kevinAlbs requested a review from a user May 16, 2025 16:47
@kevinAlbs kevinAlbs requested a review from a team as a code owner May 16, 2025 16:47
@kevinAlbs kevinAlbs merged commit 0dc5a96 into mongodb:r1.30 May 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kevinAlbs