Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails

In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but hasn't been asigned to grp->T yet). Symptom was a memory leak in ECDHE key exchange under low memory conditions.
2024-11-22 11:05:40 +01:00 · 2017-09-06 15:07:17 +10:00 · 2017-09-06 15:07:17 +10:00 · 608a487b9c
commit 608a487b9c
parent 6c34268e20
2 changed files with 8 additions and 1 deletions
--- a/2
+++ b/2
@ -86,6 +86,8 @@ Bugfix
   * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
     deep copy of the session, and the peer certificate is not lost. Fixes #926.
   * Fix build using -std=c99. Fixed by Nick Wilson.
+   * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
+     Fix contributed by Espressif Systems.

 Changes
   * Fail when receiving a TLS alert message with an invalid length, or invalid
--- a/library/ecp.c
+++ b/library/ecp.c
@ -1446,7 +1446,12 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,

 cleanup:

-    if( T != NULL && ! p_eq_g )
+    /* There are two cases where T is not stored in grp:
+     * - P != G
+     * - An intermediate operation failed before setting grp->T
+     * In either case, T must be freed.
+     */
+    if( T != NULL && T != grp->T )
    {
        for( i = 0; i < pre_len; i++ )
            mbedtls_ecp_point_free( &T[i] );