mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-28 19:21:08 +00:00
Fix double free in psa_generate_key when psa_generate_random fails
When psa_generate_random fails, psa_generate_key_internal frees the key buffer but a the pointer to the now-freed buffer in the slot. Then psa_generate_key calls psa_fail_key_creation which sees the pointer and calls free() again. This bug was introduced by ff5f0e7221d54e5a11db13c5198093a6b6bf4d53 "Implement atomic-creation psa_{generate,generator_import}_key" which changed how psa_generate_key() cleans up on errors. I went through the code and could not find a similar bug in cleanup on an error during key creation. Fix #207
This commit is contained in:
parent
b1f6c5fd4d
commit
a6b2f60b4c
@ -5718,10 +5718,7 @@ static psa_status_t psa_generate_key_internal(
|
||||
status = psa_generate_random( slot->data.raw.data,
|
||||
slot->data.raw.bytes );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
mbedtls_free( slot->data.raw.data );
|
||||
return( status );
|
||||
}
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
if( type == PSA_KEY_TYPE_DES )
|
||||
psa_des_set_key_parity( slot->data.raw.data,
|
||||
|
Loading…
x
Reference in New Issue
Block a user