Potential Double free in the older version of libtomcrypt

[viennadd]

Hi all,

Our code scanner Pinpoint has reported a double free at

optee_os/core/lib/libtomcrypt/src/pk/dsa/dsa_import.c

Lines 136 to 158 in 24bb751

	if ((err=der_decode_integer(tmpbuf, tmpbuf_len, key->y)) != CRYPT_OK) {
	goto LBL_ERR;
	}
	XFREE(tmpbuf);
	key->type = PK_PUBLIC;
	}
	LBL_OK:
	key->qord = mp_unsigned_bin_size(key->q);
	if (key->qord >= LTC_MDSA_MAX_GROUP || key->qord <= 15 ||
	(unsigned long)key->qord >= mp_unsigned_bin_size(key->p) || (mp_unsigned_bin_size(key->p) - key->qord) >= LTC_MDSA_DELTA) {
	err = CRYPT_INVALID_PACKET;
	goto LBL_ERR;
	}
	return CRYPT_OK;
	LBL_ERR:
	XFREE(tmpbuf);
	mp_clear_multi(key->p, key->g, key->q, key->x, key->y, NULL);
	return err;
	}

if it follows the goto LBL_ERR; in line 150, tmpbuf will be freed again, seems the upstream of libtomcrypt have already fixed this issue.

Regards,
Alex, Sourcebrella Inc.

[jforissier]

Hi @viennadd,

Thanks for reporting this. Please note that dsa_import.c is normally not used by OP-TEE, so the bug cannot occur. Still, I'll pick up the upstream patch since we do have the file in our tree and some users might be using it in their private branches.

[viennadd]

@jforissier great job, I should close this issue.