From 02f30230c4fb8fe8bf4d75e4146620a5bea914a9 Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Tue, 20 Feb 2024 10:22:36 +0100
Subject: [PATCH] pem: zeroize the entire buffer in case of errors in
 mbedtls_pem_read_buffer()

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 library/pem.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/library/pem.c b/library/pem.c
index 1b1edc06b7..0fee5df43a 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -453,18 +453,20 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const
 #endif /* MBEDTLS_AES_C */
 
         if (ret != 0) {
-            mbedtls_free(buf);
+            mbedtls_zeroize_and_free(buf, len);
             return ret;
         }
 
         /* Check PKCS padding and update data length based on padding info.
          * This can be used to detect invalid padding data and password
          * mismatches. */
-        ret = pem_check_pkcs_padding(buf, len, &len);
+        size_t unpadded_len;
+        ret = pem_check_pkcs_padding(buf, len, &unpadded_len);
         if (ret != 0) {
             mbedtls_zeroize_and_free(buf, len);
             return ret;
         }
+        len = unpadded_len;
 #else
         mbedtls_zeroize_and_free(buf, len);
         return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;