Skip to content

[CWE-401] cbortojson: fix memory leak when realloc() is fails#303

Open
GermanAizek wants to merge 1 commit intointel:mainfrom
GermanAizek:fix-cwe-401
Open

[CWE-401] cbortojson: fix memory leak when realloc() is fails#303
GermanAizek wants to merge 1 commit intointel:mainfrom
GermanAizek:fix-cwe-401

Conversation

@GermanAizek
Copy link

@GermanAizek GermanAizek commented Aug 19, 2025
edited
Loading

@thiagomacieira, I accidentally found it while I was studying the source code.

About security patch changes:

It is better to close this possible leak before assign CVE id and score, and also protect yourself from possible attack vectors by intruders.

This commit also have identical issue as real CVE-2019-17178 vulnerability in FreeRDP project:

Fix commit - FreeRDP/FreeRDP@9fee4ae

Issue - FreeRDP/FreeRDP#5645

More info about CWE metrics:

https://cwe.mitre.org/data/definitions/401.html

@GermanAizek
cbortojson: [CWE-401] fix memory leak when realloc() is fails
37b34ca 
This commit also have identical issue as real CVE-2019-17178 vulnerability in FreeRDP project:
Fix commit - FreeRDP/FreeRDP@9fee4ae
Issue - FreeRDP/FreeRDP#5645

More info about CWE metrics:
https://cwe.mitre.org/data/definitions/401.html
@GermanAizek GermanAizek changed the title cbortojson: [CWE-401] fix memory leak when realloc() is fails [CWE-401] cbortojson: fix memory leak when realloc() is fails Aug 19, 2025
@thiagomacieira
Copy link
Member

thiagomacieira commented Aug 20, 2025

@thiagomacieira, I accidentally found it while I was studying the source code.

Hello @GermanAizek. Thank you for your contributions.

This commit also have identical issue as real CVE-2019-17178 vulnerability in FreeRDP project:

Fix commit - FreeRDP/FreeRDP@9fee4ae

This is not the same. In the FreeRDP change, the resulting code is freeing the previous buffer that had been allocated:

		tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
		if (!tmp2)
			free(tmp);
		tmp = tmp2;

That's not the case here: we are just returning CborErrorOutOfMemory. It's up to the caller to free the buffer and it will:

            err = escape_text_string(str, &alloc, &offset, chunk, len);
    }

    if (likely(err == CborErrorNoMoreStringChunks)) {
... doesn't get run ...
    }

    cbor_free(*str);
    *str = NULL;
    return err;

thiagomacieira
thiagomacieira requested changes Aug 20, 2025
View reviewed changes
src/cbortojson.c
Comment on lines +332 to +335
char *tmp = cbor_realloc(buf, needed);
if (!tmp)
return CborErrorOutOfMemory;
buf = tmp;
Copy link
Member

@thiagomacieira thiagomacieira Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if there is a problem with freeing, this patch isn't solving it. buf is a local variable in this function, so adding yet another temporary is not going to help. This code will compile to exactly the same assembly before and after the change.

Copy link
Author

@GermanAizek GermanAizek Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thiagomacieira, how do you propose a change so that its more secure?

Copy link
Member

@thiagomacieira thiagomacieira Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm saying it's already secure.

@thiagomacieira
Copy link
Member

thiagomacieira commented Aug 25, 2025

I'm not seeing a problem here. Can you show an example of where there would be an issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thiagomacieira thiagomacieira thiagomacieira requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GermanAizek @thiagomacieira