Fix for IOTSSL-473 Double free error
Fix potential double-free in mbedtls_ssl_set_hs_psk(.)
diff --git a/ChangeLog b/ChangeLog
index 7310f3e..e024af8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,10 @@
Security
* Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
- overflow of the hostname or session ticket.
+ overflow of the hostname or session ticket. (Found by Guido Vranken).
+ * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
+ once in the same handhake and mbedtls_ssl_conf_psk() was used.
+ Found and patch provided by Guido Vranken. Cannot be forced remotely.
Changes
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
@@ -20,7 +23,8 @@
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
* Fix possible client-side NULL pointer dereference (read) when the client
tries to continue the handshake after it failed (a misuse of the API).
- (Found and patch provided by Fabian Foerg, Gotham Digital Science using afl-fuzz.)
+ (Found and patch provided by Fabian Foerg, Gotham Digital Science using
+ afl-fuzz.)
Bugfix
* Fix warning when using a 64bit platform. (found by embedthis) (#275)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 71c99d3..43cbe0f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5730,7 +5730,7 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( ssl->handshake->psk != NULL )
- mbedtls_free( ssl->conf->psk );
+ mbedtls_free( ssl->handshake->psk );
if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
{