Merge 'iotssl-566-double-free-restricted'
diff --git a/ChangeLog b/ChangeLog
index 3d298f3..2829c0a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,11 @@
= mbed TLS 2.2.1 released 2015-12-xx
+Security
+ * Fix potential double free when mbedtls_asn1_store_named_data() fails to
+ allocate memory. Only used for certificate generation, not triggerable
+ remotely in SSL/TLS. Found by RafaĆ Przywara. #367
+
Bugfix
* Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
diff --git a/library/asn1write.c b/library/asn1write.c
index 456660d..00ed73c 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -339,19 +339,18 @@
}
else if( cur->val.len < val_len )
{
- // Enlarge existing value buffer if needed
- //
- mbedtls_free( cur->val.p );
- cur->val.p = NULL;
-
- cur->val.len = val_len;
- cur->val.p = mbedtls_calloc( 1, val_len );
- if( cur->val.p == NULL )
- {
- mbedtls_free( cur->oid.p );
- mbedtls_free( cur );
+ /*
+ * Enlarge existing value buffer if needed
+ * Preserve old data until the allocation succeeded, to leave list in
+ * a consistent state in case allocation fails.
+ */
+ void *p = mbedtls_calloc( 1, val_len );
+ if( p == NULL )
return( NULL );
- }
+
+ mbedtls_free( cur->val.p );
+ cur->val.p = p;
+ cur->val.len = val_len;
}
if( val != NULL )