CryptoLib Memory Leak Vulnerability in Counter Handling Function

A memory leak vulnerability has been identified in CryptoLib versions through 1.3.3. The issue arises in the 'crypto_handle_incrementing_nontransmitted_counter' function within 'crypto_tc.c', where memory is allocated using 'malloc' without proper deallocation. This flaw can lead to resource exhaustion and degraded system performance, particularly in long-running processes or environments handling large volumes of data. As a result, the vulnerability could potentially cause a Denial of Service (DoS) in such scenarios.

Impact

The vulnerability causes a memory leak, leading to resource exhaustion and reduced system performance. In environments where CryptoLib is used in long-running processes or with high data volumes, this could result in a Denial of Service (DoS).

Reproduction

To reproduce this vulnerability, compile CryptoLib with AddressSanitizer enabled. Then, pass a crafted input to the 'Crypto_TC_ProcessSecurity' function, which will trigger the 'crypto_handle_incrementing_nontransmitted_counter' function. Afterward, check the AddressSanitizer logs, which will indicate a memory leak of 2 bytes from the unfreed 'temp_counter' variable.