Merge remote-tracking branch 'public/pr/1960' into mbedtls-2.7
diff --git a/ChangeLog b/ChangeLog
index fc296a9..50c801f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,8 @@
* Add ecc extensions only if an ecc based ciphersuite is used.
This improves compliance to RFC 4492, and as a result, solves
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
+ * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
+ and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
* Fix a miscalculation of the maximum record expansion in
mbedtls_ssl_get_record_expansion() in case of CBC ciphersuites
in (D)TLS versions 1.1 or higher. Fixes #1914.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1036ca4..3b4dd8a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5911,7 +5911,11 @@
ssl->transform_in = NULL;
ssl->transform_out = NULL;
+ ssl->session_in = NULL;
+ ssl->session_out = NULL;
+
memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
+
if( partial == 0 )
memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
@@ -6688,14 +6692,14 @@
const mbedtls_ssl_transform *transform = ssl->transform_out;
unsigned block_size;
+ if( transform == NULL )
+ return( (int) mbedtls_ssl_hdr_len( ssl ) );
+
#if defined(MBEDTLS_ZLIB_SUPPORT)
if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
- if( transform == NULL )
- return( (int) mbedtls_ssl_hdr_len( ssl ) );
-
switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
{
case MBEDTLS_MODE_GCM:
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 04f8910..7214dc2 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -351,9 +351,15 @@
int ret = 1, len;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context server_fd;
- unsigned char buf[1024];
#if defined(MBEDTLS_BASE64_C)
unsigned char base[1024];
+ /* buf is used as the destination buffer for printing base with the format:
+ * "%s\r\n". Hence, the size of buf should be at least the size of base
+ * plus 2 bytes for the \r and \n characters.
+ */
+ unsigned char buf[sizeof( base ) + 2];
+#else
+ unsigned char buf[1024];
#endif
char hostname[32];
const char *pers = "ssl_mail_client";
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 26ab88a..71934cf 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -164,7 +164,7 @@
const char *issuer_key; /* filename of the issuer key file */
const char *subject_pwd; /* password for the subject key file */
const char *issuer_pwd; /* password for the issuer key file */
- const char *output_file; /* where to store the constructed key file */
+ const char *output_file; /* where to store the constructed CRT */
const char *subject_name; /* subject name for certificate */
const char *issuer_name; /* issuer name for certificate */
const char *not_before; /* validity period not before */
@@ -774,7 +774,7 @@
}
/*
- * 1.2. Writing the request
+ * 1.2. Writing the certificate
*/
mbedtls_printf( " . Writing the certificate..." );
fflush( stdout );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 839c77d..5a83bbc 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -605,6 +605,9 @@
if [ "$PRESERVE_LOGS" -gt 0 ]; then
mv $SRV_OUT o-srv-${TESTS}.log
mv $CLI_OUT o-cli-${TESTS}.log
+ if [ -n "$PXY_CMD" ]; then
+ mv $PXY_OUT o-pxy-${TESTS}.log
+ fi
fi
rm -f $SRV_OUT $CLI_OUT $PXY_OUT