From d31b9604e33deaedaadc44bcbe03db5d51087b8b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 17 Apr 2018 07:45:54 +0200
Subject: tls13/finished: addressed memory leak in receiving finished packet

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7518

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 .../e40a8cc4e868b450a442d905d914aee402b57a15              | Bin 0 -> 437 bytes
 lib/tls13/finished.c                                      |  10 +++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 fuzz/gnutls_psk_server_fuzzer.repro/e40a8cc4e868b450a442d905d914aee402b57a15

diff --git a/fuzz/gnutls_psk_server_fuzzer.repro/e40a8cc4e868b450a442d905d914aee402b57a15 b/fuzz/gnutls_psk_server_fuzzer.repro/e40a8cc4e868b450a442d905d914aee402b57a15
new file mode 100644
index 0000000000..2efe90c63b
Binary files /dev/null and b/fuzz/gnutls_psk_server_fuzzer.repro/e40a8cc4e868b450a442d905d914aee402b57a15 differ
diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c
index c28d24a19d..bb535fff87 100644
--- a/lib/tls13/finished.c
+++ b/lib/tls13/finished.c
@@ -96,8 +96,11 @@ int _gnutls13_recv_finished(gnutls_session_t session)
 
 	_gnutls_handshake_log("HSK[%p]: parsing finished\n", session);
 
-	if (buf.length != hash_size)
-		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+	if (buf.length != hash_size) {
+		gnutls_assert();
+		ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+		goto cleanup;
+	}
 
 
 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
@@ -105,7 +108,8 @@ int _gnutls13_recv_finished(gnutls_session_t session)
 #else
 	if (safe_memcmp(verifier, buf.data, buf.length) != 0) {
 		gnutls_assert();
-		return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+		ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+		goto cleanup;
 	}
 #endif
 
-- 
cgit v1.2.1