Merge 'iotssl-566-double-free-restricted'

2025-02-24 07:16:54 +00:00 · 2015-12-23 16:42:03 +00:00 · 2015-12-23 16:42:03 +00:00 · 9c2626c641
parent 00923c1897 97b5209bc0
commit 9c2626c641
2 changed files with 16 additions and 12 deletions
--- a/5
+++ b/5
@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date)

 = mbed TLS 2.2.1 released 2015-12-xx

+Security
+   * Fix potential double free when mbedtls_asn1_store_named_data() fails to
+     allocate memory. Only used for certificate generation, not triggerable
+     remotely in SSL/TLS. Found by Rafał Przywara. #367
+
 Bugfix
   * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362

--- a/library/asn1write.c
+++ b/library/asn1write.c
@ -339,19 +339,18 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data
    }
    else if( cur->val.len < val_len )
    {
-        // Enlarge existing value buffer if needed
-        //
-        mbedtls_free( cur->val.p );
-        cur->val.p = NULL;
-
-        cur->val.len = val_len;
-        cur->val.p = mbedtls_calloc( 1, val_len );
-        if( cur->val.p == NULL )
-        {
-            mbedtls_free( cur->oid.p );
-            mbedtls_free( cur );
+        /*
+         * Enlarge existing value buffer if needed
+         * Preserve old data until the allocation succeeded, to leave list in
+         * a consistent state in case allocation fails.
+         */
+        void *p = mbedtls_calloc( 1, val_len );
+        if( p == NULL )
            return( NULL );
-        }
+
+        mbedtls_free( cur->val.p );
+        cur->val.p = p;
+        cur->val.len = val_len;
    }

    if( val != NULL )