mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TLSX_CA_Names_Parse: make sure to do cleanup when smallstack is on

Browse Source
This commit is contained in:
Juliusz Sosinowicz 2023-07-26 13:44:04 +02:00
parent 5947c9ae8c
commit a495bb4e7f
2 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/tls.c
View File

@ -6647,6 +6647,7 @@ static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input,
word32 idx = 0; word32 idx = 0;
WOLFSSL_X509_NAME* name = NULL; WOLFSSL_X509_NAME* name = NULL;
int ret = 0; int ret = 0;
int didInit = FALSE;
/* Use a DecodedCert struct to get access to GetName to /* Use a DecodedCert struct to get access to GetName to
* parse DN name */ * parse DN name */
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
@ -6664,24 +6665,27 @@ static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input,
idx += OPAQUE16_LEN; idx += OPAQUE16_LEN;
if (extLen > length) if (extLen > length)
return BUFFER_ERROR; ret = BUFFER_ERROR;
InitDecodedCert(cert, input + idx, extLen, ssl->heap); if (ret == 0) {
idx += extLen; InitDecodedCert(cert, input + idx, extLen, ssl->heap);
didInit = TRUE;
ret = GetName(cert, SUBJECT, extLen); idx += extLen;
ret = GetName(cert, SUBJECT, extLen);
}
if (ret == 0 && (name = wolfSSL_X509_NAME_new()) == NULL) if (ret == 0 && (name = wolfSSL_X509_NAME_new()) == NULL)
ret = MEMORY_ERROR; ret = MEMORY_ERROR;
if (ret == 0) if (ret == 0) {
CopyDecodedName(name, cert, SUBJECT); CopyDecodedName(name, cert, SUBJECT);
if (wolfSSL_sk_X509_NAME_push(ssl->client_ca_names, name)
if (ret == 0 && wolfSSL_sk_X509_NAME_push(ssl->client_ca_names, name) == WOLFSSL_FAILURE)
== WOLFSSL_FAILURE)
ret = MEMORY_ERROR; ret = MEMORY_ERROR;
}
FreeDecodedCert(cert); if (didInit)
FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);

4
tests/api.c
View File

@ -62947,7 +62947,8 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
EXPECT_DECLS; EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13) && \ #if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13) && \
!defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) && \ !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) && \
defined(OPENSSL_EXTRA) defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA384) && \
defined(HAVE_NULL_CIPHER)
/* This test should only fail (with BUFFER_ERROR) when we actually try to /* This test should only fail (with BUFFER_ERROR) when we actually try to
* parse the CA Names extension. Otherwise it will return other non-related * parse the CA Names extension. Otherwise it will return other non-related
* errors. If CA Names will be parsed in more configurations, that should * errors. If CA Names will be parsed in more configurations, that should
@ -62955,6 +62956,7 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
WOLFSSL *ssl_c = NULL; WOLFSSL *ssl_c = NULL;
WOLFSSL_CTX *ctx_c = NULL; WOLFSSL_CTX *ctx_c = NULL;
struct test_memio_ctx test_ctx; struct test_memio_ctx test_ctx;
/* HRR + SH using TLS_DHE_PSK_WITH_NULL_SHA384 */
const byte shBadCaNamesExt[] = { const byte shBadCaNamesExt[] = {
0x16, 0x03, 0x04, 0x00, 0x3f, 0x02, 0x00, 0x00, 0x3b, 0x03, 0x03, 0xcf, 0x16, 0x03, 0x04, 0x00, 0x3f, 0x02, 0x00, 0x00, 0x3b, 0x03, 0x03, 0xcf,
0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e,