diff --git a/ChangeLog b/ChangeLog index 1443bcb6e..e77053150 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,9 @@ Bugfix cause buffer bound checks to be bypassed. Found by Eyal Itkin. * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America. + * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused + by missing calls to mbedtls_pem_free() in cases when a + MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. = mbed TLS 2.4.1 branch released 2016-12-13 diff --git a/library/x509_crl.c b/library/x509_crl.c index 5b0adeffc..76c49f135 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -525,16 +525,17 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s if( ( ret = mbedtls_x509_crl_parse_der( chain, pem.buf, pem.buflen ) ) != 0 ) { + mbedtls_pem_free( &pem ); return( ret ); } - - mbedtls_pem_free( &pem ); } else if( is_pem ) { mbedtls_pem_free( &pem ); return( ret ); } + + mbedtls_pem_free( &pem ); } /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte. * And a valid CRL cannot be less than 1 byte anyway. */