Fix NULL dereference in buffer-based allocator

2014-11-26 15:42:16 +01:00 · 2014-11-26 15:42:16 +01:00 · 547ff6618f
commit 547ff6618f
parent 765bb31d24
2 changed files with 8 additions and 1 deletions
--- a/6
+++ b/6
@ -9,6 +9,12 @@ Features
   * Add support for Extended Master Secret (draft-ietf-tls-session-hash)
   * Add support for Encrypt-then-MAC (RFC 7366)

+Security
+   * NULL pointer dereference in the buffer-based allocator when the buffer is
+     full and polarssl_free() is called (found by Jean-Philippe Aumasson)
+     (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
+     not by default).
+
 Bugfix
   * Stack buffer overflow if ctr_drbg_update() is called with too large
     add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
--- a/library/memory_buffer_alloc.c
+++ b/library/memory_buffer_alloc.c
@ -484,7 +484,8 @@ static void buffer_alloc_free( void *ptr )
    if( old == NULL )
    {
        hdr->next_free = heap.first_free;
-        heap.first_free->prev_free = hdr;
+        if( heap.first_free != NULL )
+            heap.first_free->prev_free = hdr;
        heap.first_free = hdr;
    }