mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-28 19:21:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix double free in psa_generate_key when psa_generate_random fails

Browse Source 
When psa_generate_random fails, psa_generate_key_internal frees the
key buffer but a the pointer to the now-freed buffer in the slot. Then
psa_generate_key calls psa_fail_key_creation which sees the pointer
and calls free() again.

This bug was introduced by ff5f0e7221d54e5a11db13c5198093a6b6bf4d53
"Implement atomic-creation psa_{generate,generator_import}_key" which
changed how psa_generate_key() cleans up on errors. I went through the
code and could not find a similar bug in cleanup on an error during
key creation.

Fix #207
This commit is contained in:
Gilles Peskine 2019-08-07 13:37:33 +02:00
parent b1f6c5fd4d
commit a6b2f60b4c
1 changed files with 0 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
library/psa_crypto.c
View File

@ -5718,10 +5718,7 @@ static psa_status_t psa_generate_key_internal(
status = psa_generate_random( slot->data.raw.data,
slot->data.raw.bytes );
if( status != PSA_SUCCESS )
{
mbedtls_free( slot->data.raw.data );
return( status );
}
#if defined(MBEDTLS_DES_C)
if( type == PSA_KEY_TYPE_DES )
psa_des_set_key_parity( slot->data.raw.data,