From d15c740df6e26b3dbe459c87ca59fa1d0d999d15 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 19 Aug 2020 12:03:11 +0200 Subject: [PATCH] Fix memory leak in mbedtls_md_setup with HMAC mbedtls_md_setup() allocates a hash-specific context and then, if requested, an extra HMAC context. If the second allocation failed, the hash context was not freed. Fix this by ensuring that the mbedtls_md_context_t object is always in a consistent state, in particular, that the md_info field is always set. For robustness, ensure that the object is in a consistent state even on errors (other than BAD_INPUT_DATA if the object was not in a consistent state on entry). Fix #3486 Signed-off-by: Gilles Peskine --- ChangeLog.d/md_setup-leak.txt | 3 +++ library/md.c | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/md_setup-leak.txt diff --git a/ChangeLog.d/md_setup-leak.txt b/ChangeLog.d/md_setup-leak.txt new file mode 100644 index 000000000..5111d8ef8 --- /dev/null +++ b/ChangeLog.d/md_setup-leak.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory + conditions. Reported and fix suggested by Guido Vranken in #3486. diff --git a/library/md.c b/library/md.c index 3eb0fe389..0b9f3daa3 100644 --- a/library/md.c +++ b/library/md.c @@ -413,6 +413,10 @@ int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_inf if( md_info == NULL || ctx == NULL ) return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); + ctx->md_info = md_info; + ctx->md_ctx = NULL; + ctx->hmac_ctx = NULL; + switch( md_info->type ) { #if defined(MBEDTLS_MD2_C) @@ -468,8 +472,6 @@ int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_inf } } - ctx->md_info = md_info; - return( 0 ); } #undef ALLOC