mirror of
https://github.com/ARMmbed/mbedtls.git
synced 2025-10-20 13:04:23 +08:00
20 lines
1.1 KiB
Plaintext
20 lines
1.1 KiB
Plaintext
Security
|
|
* Fix possible use-after-free or double-free in code calling
|
|
mbedtls_x509_string_to_names(). This was caused by the function calling
|
|
mbedtls_asn1_free_named_data_list() on its head argument, while the
|
|
documentation did no suggest it did, making it likely for callers relying
|
|
on the documented behaviour to still hold pointers to memory blocks after
|
|
they were free()d, resulting in high risk of use-after-free or double-free,
|
|
with consequences ranging up to arbitrary code execution.
|
|
In particular, the two sample programs x509/cert_write and x509/cert_req
|
|
were affected (use-after-free if the san string contains more than one DN).
|
|
Code that does not call mbedtls_string_to_names() directly is not affected.
|
|
Found by Linh Le and Ngan Nguyen from Calif.
|
|
CVE-2025-47917
|
|
|
|
Changes
|
|
* The function mbedtls_x509_string_to_names() now requires its head argument
|
|
to point to NULL on entry. This makes it likely that existing risky uses of
|
|
this function (see the entry in the Security section) will be detected and
|
|
fixed.
|