Fix NULL dereference in buffer-based allocator

This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-26 15:42:16 +01:00 committed by Paul Bakker
parent 765bb31d24
commit 547ff6618f
2 changed files with 8 additions and 1 deletions

View file

@ -9,6 +9,12 @@ Features
* Add support for Extended Master Secret (draft-ietf-tls-session-hash) * Add support for Extended Master Secret (draft-ietf-tls-session-hash)
* Add support for Encrypt-then-MAC (RFC 7366) * Add support for Encrypt-then-MAC (RFC 7366)
Security
* NULL pointer dereference in the buffer-based allocator when the buffer is
full and polarssl_free() is called (found by Jean-Philippe Aumasson)
(only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
not by default).
Bugfix Bugfix
* Stack buffer overflow if ctr_drbg_update() is called with too large * Stack buffer overflow if ctr_drbg_update() is called with too large
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).

View file

@ -484,7 +484,8 @@ static void buffer_alloc_free( void *ptr )
if( old == NULL ) if( old == NULL )
{ {
hdr->next_free = heap.first_free; hdr->next_free = heap.first_free;
heap.first_free->prev_free = hdr; if( heap.first_free != NULL )
heap.first_free->prev_free = hdr;
heap.first_free = hdr; heap.first_free = hdr;
} }