Fix for IOTSSL-473 Double free error

Fix potential double-free in mbedtls_ssl_set_hs_psk(.)
2015-10-04 22:06:51 +01:00 · 2015-10-04 22:06:51 +01:00 · 5b8d1d65f7
commit 5b8d1d65f7
parent ef388f168d
2 changed files with 7 additions and 3 deletions
--- a/8
+++ b/8
@ -4,7 +4,10 @@ mbed TLS ChangeLog (Sorted per branch, date)

 Security
   * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
-     overflow of the hostname or session ticket.
+     overflow of the hostname or session ticket. (Found by Guido Vranken).
+   * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
+     once in the same handhake and mbedtls_ssl_conf_psk() was used.
+     Found and patch provided by Guido Vranken. Cannot be forced remotely.

 Changes
   * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
@ -20,7 +23,8 @@ Security
     https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
   * Fix possible client-side NULL pointer dereference (read) when the client
     tries to continue the handshake after it failed (a misuse of the API).
-     (Found and patch provided by Fabian Foerg, Gotham Digital Science using afl-fuzz.)
+     (Found and patch provided by Fabian Foerg, Gotham Digital Science using
+     afl-fuzz.)

 Bugfix
   * Fix warning when using a 64bit platform. (found by embedthis) (#275)
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -5730,7 +5730,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );

    if( ssl->handshake->psk != NULL )
-        mbedtls_free( ssl->conf->psk );
+        mbedtls_free( ssl->handshake->psk );

    if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
    {