Skip to content

Commit 3796191

Browse files
In DoTls13CertificateRequest, avoid assigned the CertReqCtx to the SSL object until the function has finished.
This avoids ssl->certReqCtx being set when the function returns an error. Thanks to Cal Page for the report.
1 parent ee74935 commit 3796191

1 file changed

Lines changed: 25 additions & 12 deletions

File tree

src/tls13.c

Lines changed: 25 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6053,7 +6053,8 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
60536053
int ret = 0;
60546054
Suites peerSuites;
60556055
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
6056-
CertReqCtx* certReqCtx;
6056+
word16 reqCtxLen;
6057+
const byte* reqCtxData;
60576058
#endif
60586059

60596060
WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
@@ -6077,18 +6078,12 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
60776078
return BUFFER_ERROR;
60786079

60796080
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
6080-
/* CertReqCtx has one byte at end for context value.
6081-
* Increase size to handle other implementations sending more than one byte.
6082-
* That is, allocate extra space, over one byte, to hold the context value.
6081+
/* Remember the request context bytes; the CertReqCtx allocation and
6082+
* linking into ssl->certReqCtx is deferred until after the rest of the
6083+
* message has been validated.
60836084
*/
6084-
certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + (len == 0 ? 0 : len - 1), ssl->heap,
6085-
DYNAMIC_TYPE_TMP_BUFFER);
6086-
if (certReqCtx == NULL)
6087-
return MEMORY_E;
6088-
certReqCtx->next = ssl->certReqCtx;
6089-
certReqCtx->len = len;
6090-
XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
6091-
ssl->certReqCtx = certReqCtx;
6085+
reqCtxLen = len;
6086+
reqCtxData = input + *inOutIdx;
60926087
#endif
60936088
*inOutIdx += len;
60946089

@@ -6155,6 +6150,24 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
61556150
/* This message is always encrypted so add encryption padding. */
61566151
*inOutIdx += ssl->keys.padSz;
61576152

6153+
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
6154+
{
6155+
/* CertReqCtx has one byte at end for context value.
6156+
* Increase size to handle other implementations sending more than one byte.
6157+
* That is, allocate extra space, over one byte, to hold the context value.
6158+
*/
6159+
CertReqCtx* certReqCtx = (CertReqCtx*)XMALLOC(
6160+
sizeof(CertReqCtx) + (reqCtxLen == 0 ? 0 : reqCtxLen - 1),
6161+
ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
6162+
if (certReqCtx == NULL)
6163+
return MEMORY_E;
6164+
certReqCtx->next = ssl->certReqCtx;
6165+
certReqCtx->len = reqCtxLen;
6166+
XMEMCPY(&certReqCtx->ctx, reqCtxData, reqCtxLen);
6167+
ssl->certReqCtx = certReqCtx;
6168+
}
6169+
#endif
6170+
61586171
WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
61596172
WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
61606173

0 commit comments

Comments
 (0)