From 5b8d1d65f746f1eae34225dfa6241d0401fbe746 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sun, 4 Oct 2015 22:06:51 +0100 Subject: [PATCH] Fix for IOTSSL-473 Double free error Fix potential double-free in mbedtls_ssl_set_hs_psk(.) --- ChangeLog | 8 ++++++-- library/ssl_tls.c | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7310f3e91..e024af818 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,7 +4,10 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer - overflow of the hostname or session ticket. + overflow of the hostname or session ticket. (Found by Guido Vranken). + * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than + once in the same handhake and mbedtls_ssl_conf_psk() was used. + Found and patch provided by Guido Vranken. Cannot be forced remotely. Changes * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure @@ -20,7 +23,8 @@ Security https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ * Fix possible client-side NULL pointer dereference (read) when the client tries to continue the handshake after it failed (a misuse of the API). - (Found and patch provided by Fabian Foerg, Gotham Digital Science using afl-fuzz.) + (Found and patch provided by Fabian Foerg, Gotham Digital Science using + afl-fuzz.) Bugfix * Fix warning when using a 64bit platform. (found by embedthis) (#275) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 71c99d3fc..43cbe0fc4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5730,7 +5730,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); if( ssl->handshake->psk != NULL ) - mbedtls_free( ssl->conf->psk ); + mbedtls_free( ssl->handshake->psk ); if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) {