TLSX_CA_Names_Parse: make sure to do cleanup when smallstack is on

2023-07-26 13:44:04 +02:00 · 2023-07-26 13:44:04 +02:00 · a495bb4e7f
commit a495bb4e7f
parent 5947c9ae8c
2 changed files with 17 additions and 11 deletions
--- a/src/tls.c
+++ b/src/tls.c
@ -6647,6 +6647,7 @@ static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input,
        word32 idx = 0;
        WOLFSSL_X509_NAME* name = NULL;
        int ret = 0;
+        int didInit = FALSE;
        /* Use a DecodedCert struct to get access to GetName to
         * parse DN name */
 #ifdef WOLFSSL_SMALL_STACK
@ -6664,24 +6665,27 @@ static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input,
        idx += OPAQUE16_LEN;

        if (extLen > length)
-            return BUFFER_ERROR;
+            ret = BUFFER_ERROR;

-        InitDecodedCert(cert, input + idx, extLen, ssl->heap);
-        idx += extLen;
-
-        ret = GetName(cert, SUBJECT, extLen);
+        if (ret == 0) {
+            InitDecodedCert(cert, input + idx, extLen, ssl->heap);
+            didInit = TRUE;
+            idx += extLen;
+            ret = GetName(cert, SUBJECT, extLen);
+        }

        if (ret == 0 && (name = wolfSSL_X509_NAME_new()) == NULL)
            ret = MEMORY_ERROR;

-        if (ret == 0)
+        if (ret == 0) {
            CopyDecodedName(name, cert, SUBJECT);
-
-        if (ret == 0 && wolfSSL_sk_X509_NAME_push(ssl->client_ca_names, name)
-                == WOLFSSL_FAILURE)
+            if (wolfSSL_sk_X509_NAME_push(ssl->client_ca_names, name)
+                    == WOLFSSL_FAILURE)
            ret = MEMORY_ERROR;
+        }

-        FreeDecodedCert(cert);
+        if (didInit)
+            FreeDecodedCert(cert);

 #ifdef WOLFSSL_SMALL_STACK
        XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
--- a/tests/api.c
+++ b/tests/api.c
@ -62947,7 +62947,8 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
    EXPECT_DECLS;
 #if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13) && \
    !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) && \
-    defined(OPENSSL_EXTRA)
+    defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA384) && \
+    defined(HAVE_NULL_CIPHER)
    /* This test should only fail (with BUFFER_ERROR) when we actually try to
     * parse the CA Names extension. Otherwise it will return other non-related
     * errors. If CA Names will be parsed in more configurations, that should
@ -62955,6 +62956,7 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
    WOLFSSL *ssl_c = NULL;
    WOLFSSL_CTX *ctx_c = NULL;
    struct test_memio_ctx test_ctx;
+    /* HRR + SH using TLS_DHE_PSK_WITH_NULL_SHA384 */
    const byte shBadCaNamesExt[] = {
        0x16, 0x03, 0x04, 0x00, 0x3f, 0x02, 0x00, 0x00, 0x3b, 0x03, 0x03, 0xcf,
        0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e,