From 78657e52d8d57c740f98741e76ebe5e67a9d83a7 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 4 May 2018 08:34:22 +0200 Subject: [PATCH 1/4] Fix memory leak in mbedtls_x509_csr_parse --- library/x509_csr.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index 26a06db4f..8bb7f3363 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -294,11 +294,9 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz /* * Was PEM encoded, parse the result */ - if( ( ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen ) ) != 0 ) - return( ret ); - + ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen ); mbedtls_pem_free( &pem ); - return( 0 ); + return( ret ); } else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) { From dc58e59280891b354486e61943ae27d0c5f23442 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 14 Jun 2018 07:35:11 +0200 Subject: [PATCH 2/4] Simplify code in mbedtls_x509_csr_parse --- library/x509_csr.c | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index 8bb7f3363..40a0f2061 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -278,32 +278,24 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); #if defined(MBEDTLS_PEM_PARSE_C) - mbedtls_pem_init( &pem ); - /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ - if( buf[buflen - 1] != '\0' ) - ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; - else + if( buf[buflen - 1] == '\0' ) { + mbedtls_pem_init( &pem ); ret = mbedtls_pem_read_buffer( &pem, "-----BEGIN CERTIFICATE REQUEST-----", "-----END CERTIFICATE REQUEST-----", buf, NULL, 0, &use_len ); - if( ret == 0 ) - { - /* - * Was PEM encoded, parse the result - */ - ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen ); + if( ret == 0 ) + /* + * Was PEM encoded, parse the result + */ + ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen ); + mbedtls_pem_free( &pem ); - return( ret ); + if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) + return( ret ); } - else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) - { - mbedtls_pem_free( &pem ); - return( ret ); - } - else #endif /* MBEDTLS_PEM_PARSE_C */ return( mbedtls_x509_csr_parse_der( csr, buf, buflen ) ); } From 0f91c0f4415faa1d421d5d348e090eea4a7e9ba1 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 20 Jun 2018 08:13:24 +0200 Subject: [PATCH 3/4] Coding style Commit to be squashed --- library/x509_csr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index 40a0f2061..779098d4e 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -279,7 +279,8 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz #if defined(MBEDTLS_PEM_PARSE_C) /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ - if( buf[buflen - 1] == '\0' ) { + if( buf[buflen - 1] == '\0' ) + { mbedtls_pem_init( &pem ); ret = mbedtls_pem_read_buffer( &pem, "-----BEGIN CERTIFICATE REQUEST-----", From 9a08e449726fe9752637772720239e633001f2c2 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Fri, 22 Jun 2018 12:02:59 +0100 Subject: [PATCH 4/4] Add a ChangeLog entry for memory leak in mbedtls_x509_csr_parse() --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index be0026e2b..e75f5e714 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Bugfix + * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber, + Philippe Antoine. + = mbed TLS 2.7.4 branch released 2018-06-18 Bugfix