Fix buffer leaks during PEM to KeyStore conversion

2014-05-18 04:26:16 +09:00 · 2014-05-18 04:26:16 +09:00 · d6262a3542
commit d6262a3542
parent 79f2f332ec
3 changed files with 30 additions and 9 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java
@ -123,10 +123,17 @@ public final class JdkSslClientContext extends JdkSslContext {
                ks.load(null, null);
                CertificateFactory cf = CertificateFactory.getInstance("X.509");

-                for (ByteBuf buf: PemReader.readCertificates(certChainFile)) {
-                    X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteBufInputStream(buf));
-                    X500Principal principal = cert.getSubjectX500Principal();
-                    ks.setCertificateEntry(principal.getName("RFC2253"), cert);
+                ByteBuf[] certs = PemReader.readCertificates(certChainFile);
+                try {
+                    for (ByteBuf buf: certs) {
+                        X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteBufInputStream(buf));
+                        X500Principal principal = cert.getSubjectX500Principal();
+                        ks.setCertificateEntry(principal.getName("RFC2253"), cert);
+                    }
+                } finally {
+                    for (ByteBuf buf: certs) {
+                        buf.release();
+                    }
                }

                // Set up trust manager factory to use our key store.
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java
@ -117,7 +117,7 @@ public final class JdkSslServerContext extends JdkSslContext {

            ByteBuf encodedKeyBuf = PemReader.readPrivateKey(keyFile);
            byte[] encodedKey = new byte[encodedKeyBuf.readableBytes()];
-            encodedKeyBuf.readBytes(encodedKey);
+            encodedKeyBuf.readBytes(encodedKey).release();
            PKCS8EncodedKeySpec encodedKeySpec = new PKCS8EncodedKeySpec(encodedKey);

            PrivateKey key;
@ -128,8 +128,15 @@ public final class JdkSslServerContext extends JdkSslContext {
            }

            List<Certificate> certChain = new ArrayList<Certificate>();
-            for (ByteBuf buf: PemReader.readCertificates(certChainFile)) {
-                certChain.add(cf.generateCertificate(new ByteBufInputStream(buf)));
+            ByteBuf[] certs = PemReader.readCertificates(certChainFile);
+            try {
+                for (ByteBuf buf: certs) {
+                    certChain.add(cf.generateCertificate(new ByteBufInputStream(buf)));
+                }
+            } finally {
+                for (ByteBuf buf: certs) {
+                    buf.release();
+                }
            }

            ks.setKeyEntry("key", key, keyPassword.toCharArray(), certChain.toArray(new Certificate[certChain.size()]));
--- a/handler/src/main/java/io/netty/handler/ssl/PemReader.java
+++ b/handler/src/main/java/io/netty/handler/ssl/PemReader.java
@ -71,7 +71,11 @@ final class PemReader {
                break;
            }

-            certs.add(Base64.decode(Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII)));
+            ByteBuf base64 = Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII);
+            ByteBuf der = Base64.decode(base64);
+            base64.release();
+            certs.add(der);
+
            start = m.end();
        }

@ -95,7 +99,10 @@ final class PemReader {
            throw new KeyException("found no private key: " + file);
        }

-        return Base64.decode(Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII));
+        ByteBuf base64 = Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII);
+        ByteBuf der = Base64.decode(base64);
+        base64.release();
+        return der;
    }

    private static String readContent(File file) throws IOException {