Merge remote-tracking branch 'restricted/pr/491' into development-restricted
diff --git a/ChangeLog b/ChangeLog
index 5d72364..1ffa69e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,11 @@
= mbed TLS x.x.x branch released xxxx-xx-xx
+Security
+ * Fix a potential memory leak in mbedtls_ssl_setup( ) function. An allocation
+ failure could leave an unreleased buffer. A handshake init failure would
+ lead to leaving two unreleased buffers.
+
Features
* Add support for fragmentation of outgoing DTLS handshake messages. This
is controlled by the maximum fragment length as set locally or negotiated
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1818abd..9b8c454 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6293,28 +6293,55 @@
/*
* Prepare base structures
*/
+
+ /* Set to NULL in case of an error condition */
+ ssl->out_buf = NULL;
+
ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
if( ssl->in_buf == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
- return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto error;
}
ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
if( ssl->out_buf == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
- mbedtls_free( ssl->in_buf );
- ssl->in_buf = NULL;
- return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto error;
}
ssl_reset_in_out_pointers( ssl );
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
- return( ret );
+ goto error;
return( 0 );
+
+error:
+ mbedtls_free( ssl->in_buf );
+ mbedtls_free( ssl->out_buf );
+
+ ssl->conf = NULL;
+
+ ssl->in_buf = NULL;
+ ssl->out_buf = NULL;
+
+ ssl->in_hdr = NULL;
+ ssl->in_ctr = NULL;
+ ssl->in_len = NULL;
+ ssl->in_iv = NULL;
+ ssl->in_msg = NULL;
+
+ ssl->out_hdr = NULL;
+ ssl->out_ctr = NULL;
+ ssl->out_len = NULL;
+ ssl->out_iv = NULL;
+ ssl->out_msg = NULL;
+
+ return( ret );
}
/*