Skip to content

Commit

Permalink
Merge pull request #3312 from sander-visser/cleanup-nullptr-deref
Browse files Browse the repository at this point in the history 
Scope reduction to enable NULL check to protect dereferencing.
  • Loading branch information
@gilles-peskine-arm
gilles-peskine-arm authored May 11, 2020
2 parents 1a4a3f5 + c64b723 commit c39a80d
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 8 deletions.
3 changes: 3 additions & 0 deletions ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Bugfix
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
NULL pointer argument. Contributed by Sander Visser in #3312.
20 changes: 12 additions & 8 deletions library/ssl_tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6661,28 +6661,32 @@ int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
*/
void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
size_t out_buf_len = ssl->out_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif

if( ssl == NULL )
return;

MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );

if( ssl->out_buf != NULL )
{
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t out_buf_len = ssl->out_buf_len;
#else
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif

mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
mbedtls_free( ssl->out_buf );
ssl->out_buf = NULL;
}

if( ssl->in_buf != NULL )
{
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif

mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
mbedtls_free( ssl->in_buf );
ssl->in_buf = NULL;
Expand Down

0 comments on commit c39a80d

Please sign in to comment.