| Security |
| * Fix possible use-after-free or double-free in code calling |
| mbedtls_x509_string_to_names(). This was caused by the function calling |
| mbedtls_asn1_free_named_data_list() on its head argument, while the |
| documentation did no suggest it did, making it likely for callers relying |
| on the documented behaviour to still hold pointers to memory blocks after |
| they were free()d, resulting in high risk of use-after-free or double-free, |
| with consequences ranging up to arbitrary code execution. |
| In particular, the two sample programs x509/cert_write and x509/cert_req |
| were affected (use-after-free if the san string contains more than one DN). |
| Code that does not call mbedtls_string_to_names() directly is not affected. |
| Found by Linh Le and Ngan Nguyen from Calif. |
| |
| Changes |
| * The function mbedtls_x509_string_to_names() now requires its head argument |
| to point to NULL on entry. This makes it likely that existing risky uses of |
| this function (see the entry in the Security section) will be detected and |
| fixed. |