Merge pull request #3312 from sander-visser/cleanup-nullptr-deref
Scope reduction to enable NULL check to protect dereferencing.
diff --git a/ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt b/ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt
new file mode 100644
index 0000000..9554aa0
--- /dev/null
+++ b/ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
+ NULL pointer argument. Contributed by Sander Visser in #3312.
\ No newline at end of file
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3b5a6c5..fd0c8a7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6661,14 +6661,6 @@
*/
void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
{
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t in_buf_len = ssl->in_buf_len;
- size_t out_buf_len = ssl->out_buf_len;
-#else
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-#endif
-
if( ssl == NULL )
return;
@@ -6676,6 +6668,12 @@
if( ssl->out_buf != NULL )
{
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t out_buf_len = ssl->out_buf_len;
+#else
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
mbedtls_free( ssl->out_buf );
ssl->out_buf = NULL;
@@ -6683,6 +6681,12 @@
if( ssl->in_buf != NULL )
{
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t in_buf_len = ssl->in_buf_len;
+#else
+ size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+
mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
mbedtls_free( ssl->in_buf );
ssl->in_buf = NULL;