From f4cbe10bcef6b398e1bb10bc749ad2e28a7e4589 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Thu, 8 Dec 2016 17:19:21 +0000 Subject: [PATCH] Fix memory leak in mbedtls_x509_crl_parse() The memory leak call was caused by missing calls to mbedtls_pem_free() when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. --- ChangeLog | 3 +++ library/x509_crl.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d26cec265..64aeac5f0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,9 @@ Bugfix cause buffer bound checks to be bypassed. Found by Eyal Itkin. * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America. + * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused + by missing calls to mbedtls_pem_free() in cases when a + MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. = mbed TLS 2.1.6 branch released 2016-10-17 diff --git a/library/x509_crl.c b/library/x509_crl.c index dca14cc99..3af10f69b 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -524,16 +524,17 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s if( ( ret = mbedtls_x509_crl_parse_der( chain, pem.buf, pem.buflen ) ) != 0 ) { + mbedtls_pem_free( &pem ); return( ret ); } - - mbedtls_pem_free( &pem ); } else if( is_pem ) { mbedtls_pem_free( &pem ); return( ret ); } + + mbedtls_pem_free( &pem ); } /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte. * And a valid CRL cannot be less than 1 byte anyway. */