Mbed TLS is now part of TrustedFirmware.org.

mbedtls_md_free causes invalid pointer access for non-hmac context


Jan 2, 2018 18:10
Mike

If mbedtls_md_setup is called with hmac set to zero then it seems like mbedtls_md_free will attempt to free memory that was not allocated via an invalid pointer.

Version is 2.5.1

 
Jan 7, 2018 13:56
Ron Eldor

Hi Mike,
Thank you for reporting this, however I believe there is a mistake in your analysis.
Since calling mbedtls_md_init() will set the mbedtls_md_context_t to all zeros, including the hmac_ctx, when calling mbedtls_md_free:

if( ctx->hmac_ctx != NULL )
    {
        mbedtls_zeroize( ctx->hmac_ctx, 2 * ctx->md_info->block_size );
        mbedtls_free( ctx->hmac_ctx );
    }

the hmac_ctx will not be accessed.
Am I missing something?
Regards,
Mbed TLS Team member
Ron