Mbed TLS is now part of TrustedFirmware.org.

mbedtls_md_free causes invalid pointer access for non-hmac context

Jan 2, 2018 18:10

If mbedtls_md_setup is called with hmac set to zero then it seems like mbedtls_md_free will attempt to free memory that was not allocated via an invalid pointer.

Version is 2.5.1

Jan 7, 2018 13:56
Ron Eldor

Hi Mike,
Thank you for reporting this, however I believe there is a mistake in your analysis.
Since calling mbedtls_md_init() will set the mbedtls_md_context_t to all zeros, including the hmac_ctx, when calling mbedtls_md_free:

if( ctx->hmac_ctx != NULL )
        mbedtls_zeroize( ctx->hmac_ctx, 2 * ctx->md_info->block_size );
        mbedtls_free( ctx->hmac_ctx );

the hmac_ctx will not be accessed.
Am I missing something?
Mbed TLS Team member