Issue 59: Potential Redundant Memory Release in Error Handling

Reason for change: Add a check before free, and fix the Memory free in Error Handling
Risks: None
Priority: P1
Signed-off-by: Harikrishna Srinivasan <hsrini103@comcast.com>

Author: harindhu007

src/sec_adapter_asn1kc.c

@@ -1,5 +1,5 @@
 /**
- * Copyright 2020-2021 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -713,7 +713,7 @@ Sec_Result SecAsn1KC_AddAttrBuffer(Sec_Asn1KC* kc, const char* key, void* buf, S
     } while (false);
 
     if (result != SEC_RESULT_SUCCESS) {
-        free(ptr);
+        SEC_FREE(ptr);
     }
     return result;
 }

src/sec_adapter_cipher.c

@@ -1,5 +1,5 @@
 /**
- * Copyright 2020-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -964,7 +964,7 @@ Sec_Result SecCipher_ProcessOpaqueWithMap(Sec_CipherHandle* cipherHandle, SEC_BY
     out_buffer.context.svp.offset = 0;
     out_buffer.context.svp.buffer = get_svp_buffer(cipherHandle->processorHandle, *opaqueBufferHandle);
     if (out_buffer.context.svp.buffer == INVALID_HANDLE) {
-        free(subsample_lengths);
+        SEC_FREE(subsample_lengths);
         SecOpaqueBuffer_Free(*opaqueBufferHandle);
         *opaqueBufferHandle = NULL;
         *bytesWritten = 0;
@@ -989,7 +989,7 @@ Sec_Result SecCipher_ProcessOpaqueWithMap(Sec_CipherHandle* cipherHandle, SEC_BY
     sample.in = &in_buffer;
 
     sa_status status = sa_invoke(cipherHandle->processorHandle, SA_PROCESS_COMMON_ENCRYPTION, (size_t) 1, &sample);
-    free(subsample_lengths);
+    SEC_FREE(subsample_lengths);
     if (status != SA_STATUS_OK) {
         SecOpaqueBuffer_Free(*opaqueBufferHandle);
         *opaqueBufferHandle = NULL;
@@ -1058,7 +1058,7 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHand
     out_buffer.context.svp.offset = 0;
     out_buffer.context.svp.buffer = get_svp_buffer(cipherHandle->processorHandle, *opaqueBufferHandle);
     if (out_buffer.context.svp.buffer == INVALID_HANDLE) {
-        free(subsample_lengths);
+        SEC_FREE(subsample_lengths);
         SecOpaqueBuffer_Free(*opaqueBufferHandle);
         *opaqueBufferHandle = NULL;
         *bytesWritten = 0;
@@ -1083,7 +1083,7 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHand
     sample.in = &in_buffer;
 
     sa_status status = sa_invoke(cipherHandle->processorHandle, SA_PROCESS_COMMON_ENCRYPTION, (size_t) 1, &sample);
-    free(subsample_lengths);
+    SEC_FREE(subsample_lengths);
     if (status != SA_STATUS_OK) {
         SecOpaqueBuffer_Free(*opaqueBufferHandle);
         *opaqueBufferHandle = NULL;

src/sec_adapter_key.c

@@ -994,7 +994,7 @@ Sec_Result SecKey_ECDHKeyAgreementWithKDF(Sec_KeyHandle* keyHandle, Sec_ECCRawPu
 
     sa_status status = sa_invoke(keyHandle->processorHandle, SA_KEY_EXCHANGE, &shared_secret, &rights,
             SA_KEY_EXCHANGE_ALGORITHM_ECDH, keyHandle->key.handle, other_public, (size_t) other_public_length, NULL);
-    free(other_public);
+    SEC_FREE(other_public);
     CHECK_STATUS(status)
 
     // Derive the key from the shared secret using a key derivation algorithm.
@@ -2697,21 +2697,21 @@ static bool is_jwt_key_container(SEC_BYTE* key_buffer, SEC_SIZE key_length) {
     SEC_SIZE length;
     SEC_BYTE* header = malloc(header_length);
     Sec_Result result = SecUtils_Base64Decode(header_b64, header_b64_length, header, header_length, &length);
-    free(header);
+    SEC_FREE(header);
     if (result != SEC_RESULT_SUCCESS)
         return false;
 
     SEC_SIZE payload_length = 3 * payload_b64_length / 4;
     SEC_BYTE* payload = malloc(payload_length);
     result = SecUtils_Base64Decode(payload_b64, payload_b64_length, payload, payload_length, &length);
-    free(payload);
+    SEC_FREE(payload);
     if (result != SEC_RESULT_SUCCESS)
         return false;
 
     SEC_SIZE mac_length = 3 * mac_b64_length / 4;
     SEC_BYTE* mac = malloc(mac_length);
     result = SecUtils_Base64Decode(mac_b64, mac_b64_length, mac, mac_length, &length);
-    free(mac);
+    SEC_FREE(mac);
     if (result != SEC_RESULT_SUCCESS)
         return false;
 

src/sec_adapter_keyexchange.c

@@ -1,5 +1,5 @@
 /**
- * Copyright 2020-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -315,7 +315,7 @@ Sec_Result SecKeyExchange_ComputeSecret(Sec_KeyExchangeHandle* keyExchangeHandle
             EVP_PKEY_free(evp_pkey);
             if (key_len <= 0) {
                 SEC_LOG_ERROR("i2d_PUBKEY failed");
-                free(public_key_bytes);
+                SEC_FREE(public_key_bytes);
                 return SEC_RESULT_FAILURE;
             }
 
@@ -350,7 +350,7 @@ Sec_Result SecKeyExchange_ComputeSecret(Sec_KeyExchangeHandle* keyExchangeHandle
     sa_key shared_secret;
     sa_status status = sa_invoke(keyExchangeHandle->processorHandle, SA_KEY_EXCHANGE, &shared_secret, &rights,
             algorithm, *keyExchangeHandle->key, public_key_bytes, (size_t) key_len, NULL);
-    free(public_key_bytes);
+    SEC_FREE(public_key_bytes);
     CHECK_STATUS(status)
 
     Sec_Key key = {.handle = shared_secret};

src/sec_adapter_mac.c

@@ -1,5 +1,5 @@
 /**
- * Copyright 2020-2022 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -116,15 +116,15 @@ Sec_Result SecMac_GetInstance(Sec_ProcessorHandle* processorHandle, Sec_MacAlgor
             break;
 
         default:
-            free(newMacHandle);
+            SEC_FREE(newMacHandle);
             return SEC_RESULT_INVALID_PARAMETERS;
     }
 
     const Sec_Key* key = get_key(keyHandle);
     sa_status status = sa_invoke(processorHandle, SA_CRYPTO_MAC_INIT, &newMacHandle->mac_context, mac_algorithm,
             key->handle, parameters);
     if (status != SA_STATUS_OK)
-        free(newMacHandle);
+        SEC_FREE(newMacHandle);
 
     CHECK_STATUS(status)
     *macHandle = newMacHandle;

src/sec_adapter_processor.c

@@ -1,5 +1,5 @@
 /**
- * Copyright 2020-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -404,7 +404,7 @@ Sec_Result SecProcessor_Release(Sec_ProcessorHandle* processorHandle) {
 
     SEC_FREE(processorHandle->app_dir);
     SEC_FREE(processorHandle->global_dir);
-    free(processorHandle);
+    SEC_FREE(processorHandle);
     return SEC_RESULT_SUCCESS;
 }
 
@@ -429,7 +429,7 @@ void Sec_NativeFree(Sec_ProcessorHandle* processorHandle, void* ptr) {
     if (processorHandle == NULL)
         return;
 
-    free(ptr);
+    SEC_FREE(ptr);
 }
 
 Sec_Result Sec_SetStorageDir(const char* provided_dir, const char* default_dir, char* output_dir) {

src/sec_adapter_pubops.c

@@ -1,5 +1,5 @@
 /**
- * Copyright 2020-2021 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -661,7 +661,7 @@ Sec_Result Pubops_ExtractECCPubToPUBKEYDer(Sec_ECCRawPublicKey* eccRawPublicKey,
     EC_KEY_free(ec_key);
     if (*outLength <= 0) {
         SEC_LOG_ERROR("i2d_EC_PUBKEY failed");
-        free(*out);
+        SEC_FREE(*out);
         return SEC_RESULT_FAILURE;
     }