Fix NULL dereference in buffer-based allocator

commit: 547ff6618fe75fb04cb5e3deb10163e50d63117c [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Nov 26 15:42:16 2014 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Jan 13 14:58:01 2015 +0100
tree: 78d67bce047d08856d91a294e8aca2841a06179e
parent: 765bb31d242eaa7106010461503b72170c5fc784 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 8370738..a1e9837 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -9,6 +9,12 @@
    * Add support for Extended Master Secret (draft-ietf-tls-session-hash)
    * Add support for Encrypt-then-MAC (RFC 7366)
 
+Security
+   * NULL pointer dereference in the buffer-based allocator when the buffer is
+     full and polarssl_free() is called (found by Jean-Philippe Aumasson)
+     (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
+     not by default).
+
 Bugfix
    * Stack buffer overflow if ctr_drbg_update() is called with too large
      add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
commit	547ff6618fe75fb04cb5e3deb10163e50d63117c	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Nov 26 15:42:16 2014 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Jan 13 14:58:01 2015 +0100
tree	78d67bce047d08856d91a294e8aca2841a06179e
parent	765bb31d242eaa7106010461503b72170c5fc784 [diff] [blame]