diff options
author | Andy Green <andy@warmcat.com> | 2021-11-08 09:22:46 +0000 |
---|---|---|
committer | Andy Green <andy@warmcat.com> | 2021-11-08 11:05:24 +0000 |
commit | 7882a6dc13f0d44cbab9f916e7340ff2b9d9890b (patch) | |
tree | 8adccde5dbe7bcc7c610a1f9ba03310ab1821cd7 /lib | |
parent | 433ad32216757547d321e87bdfef64771939f7ec (diff) | |
download | libwebsockets-7882a6dc13f0d44cbab9f916e7340ff2b9d9890b.tar.gz |
jit-trust: clean after failed mbedtls_x509_get_name
mbedtls_x509_get_name() does not clean up properly after itself in the case
of OOM on multi-segment name. We have to add extra handling and cleaning.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/tls/mbedtls/mbedtls-client.c | 1 | ||||
-rw-r--r-- | lib/tls/mbedtls/mbedtls-extensions.c | 33 |
2 files changed, 33 insertions, 1 deletions
diff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c index 7f9651fe..c12bbd50 100644 --- a/lib/tls/mbedtls/mbedtls-client.c +++ b/lib/tls/mbedtls/mbedtls-client.c @@ -161,6 +161,7 @@ lws_ssl_client_bio_create(struct lws *wsi) #if defined(LWS_WITH_TLS_JIT_TRUST) SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER, lws_mbedtls_client_verify_callback); + (void)fl; #else SSL_set_verify(wsi->tls.ssl, fl, NULL); #endif diff --git a/lib/tls/mbedtls/mbedtls-extensions.c b/lib/tls/mbedtls/mbedtls-extensions.c index 092c36dc..839563e5 100644 --- a/lib/tls/mbedtls/mbedtls-extensions.c +++ b/lib/tls/mbedtls/mbedtls-extensions.c @@ -185,6 +185,34 @@ x509_get_skid(uint8_t **p, const uint8_t *end, mbedtls_x509_buf *skid) return *p != end; } +/* + * Names may have multiple allocated segments in a linked-list, when the mbedtls + * api mbedtls_x509_get_name() fails, it doesn't clean up any already-allocated + * segments, wrongly leaving it to the caller to handle. This helper takes care + * of the missing cleaning for allocation error path. + * + * name.next must be set to NULL by user code before calling ...get_name(..., + * &name), since not every error exit sets it and it will contain garbage if + * defined on stack as is usual. + */ + +static void +lws_x509_clean_name(mbedtls_x509_name *name) +{ + mbedtls_x509_name *n1; + + if (!name) + return; + + n1 = name->MBEDTLS_PRIVATE(next); + + while (n1) { + name = n1->MBEDTLS_PRIVATE(next); + free(n1); + n1 = name; + } +} + static int lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf *name_buf, lws_mbedtls_x509_subject_alternative_name *name) @@ -221,9 +249,12 @@ lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf *name_buf, * expects the beginning of the SET tag */ *p = *p - 2; + rfc822Name.MBEDTLS_PRIVATE(next) = NULL; ret = mbedtls_x509_get_name( p, end, &rfc822Name ); - if (ret) + if (ret) { + lws_x509_clean_name(&rfc822Name); return ret; + } memset(name, 0, sizeof(*name)); name->type = LWS_MBEDTLS_X509_SAN_OTHER_NAME; |