Hello everybody,
we at suse ran address sanitizer against libnettle and found two bugs [1][2].
The first one is easy to fix (simple off by one) and thus we already have the patch (see attachment 0001-...).
The second one is about memory leaks, and it would be better if someone more aware of the source took a look wether and how to fix it.
Cheers
Tom
[1] https://bugzilla.suse.com/show_bug.cgi?id=928328 [2] https://bugzilla.suse.com/show_bug.cgi?id=929109
PS: I am not subscribed so keep me in CC please.
Tomáš Chvátal tchvatal@suse.com writes:
we at suse ran address sanitizer against libnettle and found two bugs [1][2].
Thanks for the report, and sorry for the late reply.
The first one is easy to fix (simple off by one) and thus we already have the patch (see attachment 0001-...).
In the bug report, please include information about
1. which version of Nettle you used, and
2. what error you believe you are fixing.
I guess this issue is fixed in the latest version, but not in 2.7.1. You may want to backport the same fix, see https://git.lysator.liu.se/nettle/nettle/commit/abf3870cba401bc797676cdee84f...
The second one is about memory leaks, and it would be better if someone more aware of the source took a look wether and how to fix it.
This looks like the program eccdata doesn't free its storage before exit. This is a program used at build time to generate ecc-related tables.
I'd accept patches to fix this, but I don't think it's very important. I think the nicest way is to add a function ecc_curve_clear to deallocate all storage, and add a call
ecc_curve_clear (&ecc);
at the end of the main function.
Regards, /Niels
nettle-bugs@lists.lysator.liu.se
-
nisse@lysator.liu.se -
Tomáš Chvátal