From 6d49ae92233a6bd1442ecc5aff4ccec4c82719cc Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 7 Nov 2018 03:19:08 -0500 Subject: [PATCH] pk_wrap: nullify the signature pointer on error in extract_ecdsa_sig Fix a double free error in ecdsa_verify_wrap --- library/pk_wrap.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 4a74621fc..3e150a20d 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -576,10 +576,11 @@ static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end, memcpy( sig->p, *p, len_partial ); len_signature = len_partial; ( *p ) += len_partial; - if( ( ret = mbedtls_asn1_get_tag( p, end, &len_partial, MBEDTLS_ASN1_INTEGER ) ) - != 0 ) + if( ( ret = mbedtls_asn1_get_tag( p, end, &len_partial, + MBEDTLS_ASN1_INTEGER ) ) != 0 ) { mbedtls_free( sig->p ); + sig->p = NULL; return( ret ); } @@ -684,10 +685,7 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, psa_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ); if( extract_ecdsa_sig( &p, p + sig_len, &signature ) != 0 ) - { - ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; - goto cleanup; - } + return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); key_len = mbedtls_pk_write_pubkey_der( &key, buf, buf_len ); if( key_len <= 0 )