From 4772a1fd3cd38261d3604d7b4e4e9ecec3a59dd8 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Mon, 9 Jul 2018 10:43:37 +0200 Subject: [PATCH 1/3] Fix memory leak in ssl_setup --- library/ssl_tls.c | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e3c851eeb..50e36aed2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5510,7 +5510,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, const mbedtls_ssl_config *conf ) { - int ret; + int err; const size_t len = MBEDTLS_SSL_BUFFER_LEN; ssl->conf = conf; @@ -5518,13 +5518,14 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, /* * Prepare base structures */ + ssl->in_buf = NULL; + ssl->out_buf = NULL; if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL || ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); - mbedtls_free( ssl->in_buf ); - ssl->in_buf = NULL; - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + err = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto error; } #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -5558,10 +5559,33 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ssl->in_msg = ssl->in_buf + 13; } - if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) - return( ret ); + if( ( err = ssl_handshake_init( ssl ) ) != 0 ) + goto error; return( 0 ); + +error: + mbedtls_free( ssl->in_buf ); + mbedtls_free( ssl->out_buf ); + + ssl->conf = NULL; + + ssl->in_buf = NULL; + ssl->out_buf = NULL; + + ssl->in_hdr = NULL; + ssl->in_ctr = NULL; + ssl->in_len = NULL; + ssl->in_iv = NULL; + ssl->in_msg = NULL; + + ssl->out_hdr = NULL; + ssl->out_ctr = NULL; + ssl->out_len = NULL; + ssl->out_iv = NULL; + ssl->out_msg = NULL; + + return( err ); } /* From 9e070019ad2dd8dec52f1799b231d1408af9f876 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Mon, 9 Jul 2018 14:44:26 +0200 Subject: [PATCH 2/3] Update change log --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 24d20503a..bb3765bdb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Security + * Fix a potential memory leak in mbedtls_ssl_setup( ) function. An allocation + failure could leave an unreleased buffer. A handshake init failure would + lead to leaving two unreleased buffers. + Bugfix * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber, Philippe Antoine. Fixes #1623. From 83f9fba987bcbc3b66b233d251de20aabf69a966 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Tue, 31 Jul 2018 17:13:26 +0200 Subject: [PATCH 3/3] Revert change of a return variable name --- library/ssl_tls.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 50e36aed2..755ec0238 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5510,7 +5510,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, const mbedtls_ssl_config *conf ) { - int err; + int ret; const size_t len = MBEDTLS_SSL_BUFFER_LEN; ssl->conf = conf; @@ -5524,7 +5524,7 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); - err = MBEDTLS_ERR_SSL_ALLOC_FAILED; + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; goto error; } @@ -5559,7 +5559,7 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ssl->in_msg = ssl->in_buf + 13; } - if( ( err = ssl_handshake_init( ssl ) ) != 0 ) + if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) goto error; return( 0 ); @@ -5585,7 +5585,7 @@ error: ssl->out_iv = NULL; ssl->out_msg = NULL; - return( err ); + return( ret ); } /*