| Manuel Pégourié-Gonnard | 43a1e73 | 2025-05-05 16:41:52 +0200 | [diff] [blame^] | 1 | Security |
| 2 | * Fix possible use-after-free or double-free in code calling |
| 3 | mbedtls_x509_string_to_names(). This was caused by the function calling |
| 4 | mbedtls_asn1_free_named_data_list() on its head argument, while the |
| 5 | documentation did no suggest it did, making it likely for callers relying |
| 6 | on the documented behaviour to still hold pointers to memory blocks after |
| 7 | they were free()d, resulting in high risk of use-after-free or double-free, |
| 8 | with consequences ranging up to arbitrary code execution. |
| 9 | In particular, the two sample programs x509/cert_write and x509/cert_req |
| 10 | were affected (use-after-free if the san string contains more than one DN). |
| 11 | Code that does not call mbedtls_string_to_names() directly is not affected. |
| 12 | Found by Linh Le and Ngan Nguyen from Calif. |
| 13 | |
| 14 | Changes |
| 15 | * The function mbedtls_x509_string_to_names() now requires its head argument |
| 16 | to point to NULL on entry. This make it likely that existing risky uses of |
| 17 | this function (see the entry in the Security section) will be detected and |
| 18 | fixed. |