Merge 'iotssl-566-2.1-double-free-restricted'

Merge remote-tracking branch 'restricted/iotssl-566-2.1-double-free-restricted' into mbedtls-2.1
2025-02-02 11:01:11 +00:00 · 2015-12-23 16:49:46 +00:00 · 2015-12-23 16:49:46 +00:00 · 35ea92dbc6
parent 2bc3897a53 3e60d2a458
commit 35ea92dbc6
2 changed files with 16 additions and 12 deletions
--- a/5
+++ b/5
@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date)

 = mbed TLS 2.1.4 released 2015-12-xx

+Security
+   * Fix potential double free when mbedtls_asn1_store_named_data() fails to
+     allocate memory. Only used for certificate generation, not triggerable
+     remotely in SSL/TLS. Found by Rafał Przywara. #367
+
 Bugfix
   * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362

--- a/library/asn1write.c
+++ b/library/asn1write.c
@ -339,19 +339,18 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data
    }
    else if( cur->val.len < val_len )
    {
-        // Enlarge existing value buffer if needed
-        //
-        mbedtls_free( cur->val.p );
-        cur->val.p = NULL;
-
-        cur->val.len = val_len;
-        cur->val.p = mbedtls_calloc( 1, val_len );
-        if( cur->val.p == NULL )
-        {
-            mbedtls_free( cur->oid.p );
-            mbedtls_free( cur );
+        /*
+         * Enlarge existing value buffer if needed
+         * Preserve old data until the allocation succeeded, to leave list in
+         * a consistent state in case allocation fails.
+         */
+        void *p = mbedtls_calloc( 1, val_len );
+        if( p == NULL )
            return( NULL );
-        }
+
+        mbedtls_free( cur->val.p );
+        cur->val.p = p;
+        cur->val.len = val_len;
    }

    if( val != NULL )