Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Code Issues Releases Wiki Activity

jit-trust: clean after failed mbedtls_x509_get_name

Browse source 
mbedtls_x509_get_name() does not clean up properly after itself in the case
of OOM on multi-segment name.  We have to add extra handling and cleaning.
This commit is contained in:
Andy Green 2021-11-08 09:22:46 +00:00
parent 433ad32216
commit 7882a6dc13
2 changed files with 33 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/tls/mbedtls/mbedtls-client.c
View file

@ -161,6 +161,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
#if defined(LWS_WITH_TLS_JIT_TRUST)
SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
lws_mbedtls_client_verify_callback);
(void)fl;
#else
SSL_set_verify(wsi->tls.ssl, fl, NULL);
#endif

33
lib/tls/mbedtls/mbedtls-extensions.c
View file

@ -185,6 +185,34 @@ x509_get_skid(uint8_t **p, const uint8_t *end, mbedtls_x509_buf *skid)
return *p != end;
}
/*
* Names may have multiple allocated segments in a linked-list, when the mbedtls
* api mbedtls_x509_get_name() fails, it doesn't clean up any already-allocated
* segments, wrongly leaving it to the caller to handle. This helper takes care
* of the missing cleaning for allocation error path.
*
* name.next must be set to NULL by user code before calling ...get_name(...,
* &name), since not every error exit sets it and it will contain garbage if
* defined on stack as is usual.
*/
static void
lws_x509_clean_name(mbedtls_x509_name *name)
{
mbedtls_x509_name *n1;
if (!name)
return;
n1 = name->MBEDTLS_PRIVATE(next);
while (n1) {
name = n1->MBEDTLS_PRIVATE(next);
free(n1);
n1 = name;
}
}
static int
lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf *name_buf,
lws_mbedtls_x509_subject_alternative_name *name)
@ -221,9 +249,12 @@ lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf *name_buf,
* expects the beginning of the SET tag */
*p = *p - 2;
rfc822Name.MBEDTLS_PRIVATE(next) = NULL;
ret = mbedtls_x509_get_name( p, end, &rfc822Name );
if (ret)
if (ret) {
lws_x509_clean_name(&rfc822Name);
return ret;
}
memset(name, 0, sizeof(*name));
name->type = LWS_MBEDTLS_X509_SAN_OTHER_NAME;