Merge pull request #3312 from sander-visser/cleanup-nullptr-deref

Scope reduction to enable NULL check to protect dereferencing.
This commit is contained in:
Gilles Peskine 2020-05-11 21:59:07 +02:00 committed by GitHub
commit c39a80daee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 8 deletions

View file

@ -0,0 +1,3 @@
Bugfix
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
NULL pointer argument. Contributed by Sander Visser in #3312.

View file

@ -6661,14 +6661,6 @@ int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
*/ */
void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
{ {
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
size_t out_buf_len = ssl->out_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
if( ssl == NULL ) if( ssl == NULL )
return; return;
@ -6676,6 +6668,12 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
if( ssl->out_buf != NULL ) if( ssl->out_buf != NULL )
{ {
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t out_buf_len = ssl->out_buf_len;
#else
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
mbedtls_platform_zeroize( ssl->out_buf, out_buf_len ); mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
mbedtls_free( ssl->out_buf ); mbedtls_free( ssl->out_buf );
ssl->out_buf = NULL; ssl->out_buf = NULL;
@ -6683,6 +6681,12 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
if( ssl->in_buf != NULL ) if( ssl->in_buf != NULL )
{ {
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
mbedtls_platform_zeroize( ssl->in_buf, in_buf_len ); mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
mbedtls_free( ssl->in_buf ); mbedtls_free( ssl->in_buf );
ssl->in_buf = NULL; ssl->in_buf = NULL;