From b8aa2071f600a7c0377dcfc3dfaf673f4617c56a Mon Sep 17 00:00:00 2001 From: sander-visser Date: Wed, 6 May 2020 22:05:13 +0200 Subject: [PATCH 1/2] Scope reduction to enable NULL check to protect dereferencing. Signed-off-by: sander-visser --- library/ssl_tls.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ccfc4bdaa..bbbe80f46 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6661,14 +6661,6 @@ int mbedtls_ssl_context_load( mbedtls_ssl_context *context, */ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) - size_t in_buf_len = ssl->in_buf_len; - size_t out_buf_len = ssl->out_buf_len; -#else - size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; - size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; -#endif - if( ssl == NULL ) return; @@ -6676,6 +6668,12 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) if( ssl->out_buf != NULL ) { +#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) + size_t out_buf_len = ssl->out_buf_len; +#else + size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; +#endif + mbedtls_platform_zeroize( ssl->out_buf, out_buf_len ); mbedtls_free( ssl->out_buf ); ssl->out_buf = NULL; @@ -6683,6 +6681,12 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) if( ssl->in_buf != NULL ) { +#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) + size_t in_buf_len = ssl->in_buf_len; +#else + size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; +#endif + mbedtls_platform_zeroize( ssl->in_buf, in_buf_len ); mbedtls_free( ssl->in_buf ); ssl->in_buf = NULL; From c64b72394dd3c7fe8003bcd25720741b378bf339 Mon Sep 17 00:00:00 2001 From: sander-visser Date: Thu, 7 May 2020 20:09:14 +0200 Subject: [PATCH 2/2] Add Changelog entry for #3312 Signed-off-by: sander-visser --- ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt diff --git a/ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt b/ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt new file mode 100644 index 000000000..9554aa03c --- /dev/null +++ b/ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt @@ -0,0 +1,3 @@ +Bugfix + * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a + NULL pointer argument. Contributed by Sander Visser in #3312. \ No newline at end of file