From 547ff6618fe75fb04cb5e3deb10163e50d63117c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Nov 2014 15:42:16 +0100 Subject: [PATCH] Fix NULL dereference in buffer-based allocator --- ChangeLog | 6 ++++++ library/memory_buffer_alloc.c | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 8370738b4..a1e9837f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,12 @@ Features * Add support for Extended Master Secret (draft-ietf-tls-session-hash) * Add support for Encrypt-then-MAC (RFC 7366) +Security + * NULL pointer dereference in the buffer-based allocator when the buffer is + full and polarssl_free() is called (found by Jean-Philippe Aumasson) + (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is + not by default). + Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c index 4f96018e3..9cae251d5 100644 --- a/library/memory_buffer_alloc.c +++ b/library/memory_buffer_alloc.c @@ -484,7 +484,8 @@ static void buffer_alloc_free( void *ptr ) if( old == NULL ) { hdr->next_free = heap.first_free; - heap.first_free->prev_free = hdr; + if( heap.first_free != NULL ) + heap.first_free->prev_free = hdr; heap.first_free = hdr; }