mbedtls/library
Manuel Pégourié-Gonnard a3d831b9e6 Add test for session_load() from small buffers
This uncovered a bug that led to a double-free (in practice, in general could
be free() on any invalid value): initially the session structure is loaded
with `memcpy()` which copies the previous values of pointers peer_cert and
ticket to heap-allocated buffers (or any other value if the input is
attacker-controlled). Now if we exit before we got a chance to replace those
invalid values with valid ones (for example because the input buffer is too
small, or because the second malloc() failed), then the next call to
session_free() is going to call free() on invalid pointers.

This bug is fixed in this commit by always setting the pointers to NULL right
after they've been read from the serialised state, so that the invalid values
can never be used.

(An alternative would be to NULL-ify them when writing, which was rejected
mostly because we need to do it when reading anyway (as the consequences of
free(invalid) are too severe to take any risk), so doing it when writing as
well is redundant and a waste of code size.)

Also, while thinking about what happens in case of errors, it became apparent
to me that it was bad practice to leave the session structure in an
half-initialised state and rely on the caller to call session_free(), so this
commit also ensures we always clear the structure when loading failed.
2019-08-23 12:48:41 +03:00
..
.gitignore
certs.c Add support for all SHA modes in cert_write 2019-07-14 09:17:57 +03:00
CMakeLists.txt Remove use of CMAKE_SOURCE_DIR 2019-06-25 13:33:51 +01:00
debug.c Merge remote-tracking branch 'origin/pr/1818' into development 2019-03-05 16:27:38 +00:00
error.c Add specific SSL error code for unexpected CIDs 2019-06-03 16:07:50 +01:00
Makefile Consistently spell -Wextra 2019-07-02 20:05:16 +02:00
net_sockets.c net_sockets: Fix typo in net_would_block() 2019-06-20 10:48:11 +01:00
pkcs11.c
ssl_cache.c Remove peer CRT from cache if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-02-26 14:38:09 +00:00
ssl_ciphersuites.c Reduce priority of 3DES ciphersuites 2019-03-01 10:19:27 +01:00
ssl_cli.c Make calc_verify() return the length as well 2019-08-23 12:45:33 +03:00
ssl_cookie.c Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
ssl_srv.c Make calc_verify() return the length as well 2019-08-23 12:45:33 +03:00
ssl_ticket.c Move session save/load function to ssl_tls.c 2019-08-23 12:48:41 +03:00
ssl_tls.c Add test for session_load() from small buffers 2019-08-23 12:48:41 +03:00
version.c
version_features.c Update version_features.c 2019-08-06 11:25:45 +03:00
x509.c Improve documentation of mbedtls_x509_get_ext() 2019-06-04 13:59:55 +01:00
x509_create.c Break overly long line in library/x509_create.c 2018-11-02 10:52:38 +00:00
x509_crl.c Always return a high-level error code from X.509 module 2019-06-04 13:59:48 +01:00
x509_crt.c Deref pointer when using sizeof in x509_get_other_name 2019-06-24 09:17:18 -04:00
x509_csr.c Merge development commit 8e76332 into development-psa 2019-01-31 08:20:20 -05:00
x509write_crt.c Avoid use of large stack buffers in mbedtls_x509_write_crt_pem() 2019-05-04 08:13:23 +01:00
x509write_csr.c Add new function mbedtls_asn1_write_named_bitstring() 2019-02-28 09:36:30 +00:00