librbd/crypto: fix memory leak in openssl/DataCryptor

Re-initializing the same datacryptor, causes a memory leak of the old encryption key.
This commit fixes this issue.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
(cherry picked from commit 9992bbaa5303521fafe28a7d5d0581afa7b32da7)

diff --git a/src/librbd/crypto/openssl/DataCryptor.cc b/src/librbd/crypto/openssl/DataCryptor.cc
index 0c164b048f9cdad73202183fa1254053ae243338..aa9427a79b8c07e30211c5357d8d5aa152a843c4 100644 (file)
--- a/src/librbd/crypto/openssl/DataCryptor.cc
+++ b/src/librbd/crypto/openssl/DataCryptor.cc
@@ -13,7 +13,12 @@ namespace openssl {
 
 int DataCryptor::init(const char* cipher_name, const unsigned char* key,
                       uint16_t key_length) {
-  m_key = nullptr;
+  if (m_key != nullptr) {
+    ceph_memzero_s(m_key, m_key_size, m_key_size);
+    delete [] m_key;
+    m_key = nullptr;
+    m_key_size = 0;
+  }
   if (cipher_name == nullptr) {
     lderr(m_cct) << "missing cipher name" << dendl;
     return -EINVAL;
@@ -39,6 +44,7 @@ int DataCryptor::init(const char* cipher_name, const unsigned char* key,
     return -EINVAL;
   }
 
+  m_key_size = key_length;
   m_key = new unsigned char[key_length];
   memcpy(m_key, key, key_length);
   m_iv_size = static_cast<uint32_t>(EVP_CIPHER_iv_length(m_cipher));
@@ -47,8 +53,7 @@ int DataCryptor::init(const char* cipher_name, const unsigned char* key,
 
 DataCryptor::~DataCryptor() {
   if (m_key != nullptr) {
-    ceph_memzero_s(m_key, EVP_CIPHER_key_length(m_cipher),
-                   EVP_CIPHER_key_length(m_cipher));
+    ceph_memzero_s(m_key, m_key_size, m_key_size);
     delete [] m_key;
     m_key = nullptr;
   }

diff --git a/src/librbd/crypto/openssl/DataCryptor.h b/src/librbd/crypto/openssl/DataCryptor.h
index c9a177ef595b4099609cf819cd40f9aa07cfc294..af69568835ee7f25d54f300baafc2a81b748cb9a 100644 (file)
--- a/src/librbd/crypto/openssl/DataCryptor.h
+++ b/src/librbd/crypto/openssl/DataCryptor.h
@@ -35,6 +35,7 @@ public:
 private:
     CephContext* m_cct;
     unsigned char* m_key = nullptr;
+    uint16_t m_key_size = 0;
     const EVP_CIPHER* m_cipher;
     uint32_t m_iv_size;