Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails

In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but hasn't been asigned to grp->T yet). Symptom was a memory leak in ECDHE key exchange under low memory conditions.
2025-02-02 12:01:06 +00:00 · 2017-09-06 15:07:17 +10:00 · 2017-09-06 15:07:17 +10:00 · cb7a5b0b0c
parent d7126d7009
commit cb7a5b0b0c
2 changed files with 8 additions and 1 deletions
--- a/2
+++ b/2
@ -38,6 +38,8 @@ Bugfix
   * Correct the documentation for `mbedtls_ssl_get_session()`.
     This API has deep copy of the session, and the peer
     certificate is not lost. Fixes #926.
+   * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
+     Fix contributed by Espressif Systems.

 Changes
   * Change the shebang line in Perl scripts to look up perl in the PATH.
--- a/library/ecp.c
+++ b/library/ecp.c
@ -1448,7 +1448,12 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,

 cleanup:

-    if( T != NULL && ! p_eq_g )
+    /* There are two cases where T is not stored in grp:
+     * - P != G
+     * - An intermediate operation failed before setting grp->T
+     * In either case, T must be freed.
+     */
+    if( T != NULL && T != grp->T )
    {
        for( i = 0; i < pre_len; i++ )
            mbedtls_ecp_point_free( &T[i] );