Ensure wrapped key is freed in get_aes256_key (#6997)

jo · web-flow · commit cd04a4d1a742 · 2025-10-06T16:11:03.000Z
diff --git a/components/support/rc_crypto/nss/src/pk11/sym_key.rs b/components/support/rc_crypto/nss/src/pk11/sym_key.rs
@@ -217,6 +217,14 @@ fn get_aes256_key(name: &str) -> Result<SymKey> {
             }
             .map_err(|_| get_last_error())?;
 
+            // This cleanup will not run if a previous operation fails and causes an early return.
+            // Using an RAII-style wrapper would be preferable to ensure the item is always freed,
+            // but given that an earlier failure likely prevents startup, it is acceptable.
+            //
+            // See: https://bugzilla.mozilla.org/show_bug.cgi?id=1992756 for a follow-up
+            // improvement.
+            unsafe { nss_sys::SECITEM_FreeItem(wrapped_key, nss_sys::PR_TRUE) }
+
             map_nss_secstatus(|| unsafe { nss_sys::PK11_ExtractKeyValue(sym_key.as_mut_ptr()) })?;
             Ok(sym_key)
         }

Original file line number	Diff line number	Diff line change
`@@ -217,6 +217,14 @@ fn get_aes256_key(name: &str) -> Result<SymKey> {`
`217`	`217`	`}`
`218`	`218`	`.map_err(\|_\| get_last_error())?;`
`219`	`219`
	`220`	`+ // This cleanup will not run if a previous operation fails and causes an early return.`
	`221`	`+ // Using an RAII-style wrapper would be preferable to ensure the item is always freed,`
	`222`	`+ // but given that an earlier failure likely prevents startup, it is acceptable.`
	`223`	`+ //`
	`224`	`+ // See: https://bugzilla.mozilla.org/show_bug.cgi?id=1992756 for a follow-up`
	`225`	`+ // improvement.`
	`226`	`+ unsafe { nss_sys::SECITEM_FreeItem(wrapped_key, nss_sys::PR_TRUE) }`
	`227`	`+`
`220`	`228`	`map_nss_secstatus(\|\| unsafe { nss_sys::PK11_ExtractKeyValue(sym_key.as_mut_ptr()) })?;`
`221`	`229`	`Ok(sym_key)`
`222`	`230`	`}`