From 5aebeeb5f469ede0cd12839718fca66c05f9757b Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 22 May 2019 16:41:21 +0300 Subject: [PATCH] Set next sequence of subject_alt_names to NULL Set the next sequence of the subject_alt_name to NULL when deleting sequence on failure in `get_subject_alt_name()`. Found by Philippe Antoine. Credit to OSS-Fuzz. --- ChangeLog | 3 +++ library/x509_crt.c | 1 + 2 files changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index d33369272..6ac3e781b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ Bugfix for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. + * Set the next sequence of the subject_alt_name to NULL when deleting + sequence on failure. Found and fix suggested by Philippe Antoine. + Credit to OSS-Fuzz. API Changes * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, diff --git a/library/x509_crt.c b/library/x509_crt.c index 708dbf771..dfd22f6e5 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -681,6 +681,7 @@ static int x509_get_subject_alt_name( unsigned char **p, sizeof( mbedtls_x509_sequence ) ); mbedtls_free( seq_prv ); } + subject_alt_name->next = NULL; return( ret ); }