From 608a487b9cf1b40fed7c02d18296b3224a8dd4b1 Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Wed, 6 Sep 2017 15:07:17 +1000 Subject: [PATCH] Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but hasn't been asigned to grp->T yet). Symptom was a memory leak in ECDHE key exchange under low memory conditions. --- ChangeLog | 2 ++ library/ecp.c | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4c09593b7..7ea276b1a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -86,6 +86,8 @@ Bugfix * Correct the documentation for `mbedtls_ssl_get_session()`. This API has deep copy of the session, and the peer certificate is not lost. Fixes #926. * Fix build using -std=c99. Fixed by Nick Wilson. + * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. + Fix contributed by Espressif Systems. Changes * Fail when receiving a TLS alert message with an invalid length, or invalid diff --git a/library/ecp.c b/library/ecp.c index 41db3fbe5..68c6f4914 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1446,7 +1446,12 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, cleanup: - if( T != NULL && ! p_eq_g ) + /* There are two cases where T is not stored in grp: + * - P != G + * - An intermediate operation failed before setting grp->T + * In either case, T must be freed. + */ + if( T != NULL && T != grp->T ) { for( i = 0; i < pre_len; i++ ) mbedtls_ecp_point_free( &T[i] );