Merge pull request #6391 from davidhorstmann-arm/fix-x509-get-name-cleanup

The Open CI ran successfully thus I think we can ignore the internal CI.
2025-07-29 11:41:15 +03:00 · 2022-10-26 14:27:54 +02:00
parent 3e0ea98b7c 2bb9c8a884
commit 4f7feca0dc
4 changed files with 116 additions and 4 deletions
--- a/library/x509.c
+++ b/library/x509.c
@ -459,6 +459,11 @@ static int x509_get_attr_type_value( unsigned char **p,
 * For the general case we still use a flat list, but we mark elements of the
 * same set so that they are "merged" together in the functions that consume
 * this list, eg mbedtls_x509_dn_gets().
+ *
+ * On success, this function may allocate a linked list starting at cur->next
+ * that must later be free'd by the caller using mbedtls_free(). In error
+ * cases, this function frees all allocated memory internally and the caller
+ * has no freeing responsibilities.
 */
 int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
                   mbedtls_x509_name *cur )
@ -466,6 +471,8 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    size_t set_len;
    const unsigned char *end_set;
+    mbedtls_x509_name *head = cur;
+    mbedtls_x509_name *prev, *allocated;

    /* don't use recursion, we'd risk stack overflow if not optimized */
    while( 1 )
@ -475,14 +482,17 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
         */
        if( ( ret = mbedtls_asn1_get_tag( p, end, &set_len,
                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) ) != 0 )
-            return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret ) );
+        {
+            ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret );
+            goto error;
+        }

        end_set  = *p + set_len;

        while( 1 )
        {
            if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
-                return( ret );
+                goto error;

            if( *p == end_set )
                break;
@ -493,7 +503,10 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
            cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );

            if( cur->next == NULL )
-                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+            {
+                ret = MBEDTLS_ERR_X509_ALLOC_FAILED;
+                goto error;
+            }

            cur = cur->next;
        }
@ -507,10 +520,30 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
        cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );

        if( cur->next == NULL )
-            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+        {
+            ret = MBEDTLS_ERR_X509_ALLOC_FAILED;
+            goto error;
+        }

        cur = cur->next;
    }
+
+error:
+    /* Skip the first element as we did not allocate it */
+    allocated = head->next;
+
+    while( allocated != NULL )
+    {
+        prev = allocated;
+        allocated = allocated->next;
+
+        mbedtls_platform_zeroize( prev, sizeof( *prev ) );
+        mbedtls_free( prev );
+    }
+
+    mbedtls_platform_zeroize( head, sizeof( *head ) );
+
+    return( ret );
 }

 static int x509_parse_int( unsigned char **p, size_t n, int *res )