From 1f311ed5870ea0a54f4f90c70f7056ed40d792c1 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 17 Oct 2017 18:15:41 +0300 Subject: [PATCH 1/2] Backport 1.3:Fix crash when calling `mbedtls_ssl_cache_free` twice Set `cache` to zero at the end of `mbedtls_ssl_cache_free` #1104 --- ChangeLog | 2 ++ library/ssl_cache.c | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/ChangeLog b/ChangeLog index 6a1be9892..c8677e367 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,8 @@ Bugfix * Fix leap year calculation in x509_date_is_valid() to ensure that invalid dates on leap years with 100 and 400 intervals are handled correctly. Found by Nicholas Wilson. #694 + * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by + MilenkoMitrovic, #1104 = mbed TLS 1.3.21 branch released 2017-08-10 diff --git a/library/ssl_cache.c b/library/ssl_cache.c index 0c2df29bb..1cb71bf57 100644 --- a/library/ssl_cache.c +++ b/library/ssl_cache.c @@ -44,6 +44,12 @@ #define polarssl_free free #endif + +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + void ssl_cache_init( ssl_cache_context *cache ) { memset( cache, 0, sizeof( ssl_cache_context ) ); @@ -324,6 +330,8 @@ void ssl_cache_free( ssl_cache_context *cache ) #if defined(POLARSSL_THREADING_C) polarssl_mutex_free( &cache->mutex ); #endif + + polarssl_zeroize( cache, sizeof(ssl_cache_context) ); } #endif /* POLARSSL_SSL_CACHE_C */ From 9f60bc57ced45fa4e2d63eed4ad18c51cd57bd0b Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Sun, 29 Oct 2017 17:53:52 +0200 Subject: [PATCH 2/2] Address PR review comments set `cache->chain` to NULL, instead of setting the whole structure to zero. --- library/ssl_cache.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/library/ssl_cache.c b/library/ssl_cache.c index 1cb71bf57..0cad1480e 100644 --- a/library/ssl_cache.c +++ b/library/ssl_cache.c @@ -44,12 +44,6 @@ #define polarssl_free free #endif - -/* Implementation that should never be optimized out by the compiler */ -static void polarssl_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; -} - void ssl_cache_init( ssl_cache_context *cache ) { memset( cache, 0, sizeof( ssl_cache_context ) ); @@ -331,7 +325,7 @@ void ssl_cache_free( ssl_cache_context *cache ) polarssl_mutex_free( &cache->mutex ); #endif - polarssl_zeroize( cache, sizeof(ssl_cache_context) ); + cache->chain = NULL; } #endif /* POLARSSL_SSL_CACHE_C */