Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 99771fa

Browse files
ESP-YJMESP-YJM
committed
fix(mbedtls): Fix mbedtls_ssl_send_alert_message crash due to ssl->out_iv is NULL
1 parent 870aa0a commit 99771fa

File tree

3 files changed

+114
-78
lines changed

3 files changed

+114
-78
lines changed

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c

Lines changed: 97 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,33 @@
2323

2424
static const char *TAG = "Dynamic Impl";
2525

26+
static void esp_mbedtls_set_buf_state(unsigned char *buf, esp_mbedtls_ssl_buf_states state)
27+
{
28+
struct esp_mbedtls_ssl_buf *temp = __containerof(buf, struct esp_mbedtls_ssl_buf, buf[0]);
29+
temp->state = state;
30+
}
31+
32+
static esp_mbedtls_ssl_buf_states esp_mbedtls_get_buf_state(unsigned char *buf)
33+
{
34+
struct esp_mbedtls_ssl_buf *temp = __containerof(buf, struct esp_mbedtls_ssl_buf, buf[0]);
35+
return temp->state;
36+
}
37+
38+
void esp_mbedtls_free_buf(unsigned char *buf)
39+
{
40+
struct esp_mbedtls_ssl_buf *temp = __containerof(buf, struct esp_mbedtls_ssl_buf, buf[0]);
41+
ESP_LOGV(TAG, "free buffer @ %p", temp);
42+
mbedtls_free(temp);
43+
}
44+
45+
static void esp_mbedtls_init_ssl_buf(struct esp_mbedtls_ssl_buf *buf, unsigned int len)
46+
{
47+
if (buf) {
48+
buf->state = ESP_MBEDTLS_SSL_BUF_CACHED;
49+
buf->len = len;
50+
}
51+
}
52+
2653
static void esp_mbedtls_parse_record_header(mbedtls_ssl_context *ssl)
2754
{
2855
ssl->in_msgtype = ssl->in_hdr[0];
@@ -118,29 +145,30 @@ static void init_rx_buffer(mbedtls_ssl_context *ssl, unsigned char *buf)
118145

119146
static int esp_mbedtls_alloc_tx_buf(mbedtls_ssl_context *ssl, int len)
120147
{
121-
unsigned char *buf;
148+
struct esp_mbedtls_ssl_buf *esp_buf;
122149

123150
if (ssl->out_buf) {
124-
mbedtls_free(ssl->out_buf);
151+
esp_mbedtls_free_buf(ssl->out_buf);
125152
ssl->out_buf = NULL;
126153
}
127154

128-
buf = mbedtls_calloc(1, len);
129-
if (!buf) {
130-
ESP_LOGE(TAG, "alloc(%d bytes) failed", len);
155+
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + len);
156+
if (!esp_buf) {
157+
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + len);
131158
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
132159
}
133160

134-
ESP_LOGV(TAG, "add out buffer %d bytes @ %p", len, buf);
161+
ESP_LOGV(TAG, "add out buffer %d bytes @ %p", len, esp_buf->buf);
135162

163+
esp_mbedtls_init_ssl_buf(esp_buf, len);
136164
/**
137165
* Mark the out_msg offset from ssl->out_buf.
138-
*
166+
*
139167
* In mbedtls, ssl->out_msg = ssl->out_buf + offset;
140168
*/
141169
ssl->out_msg = (unsigned char *)MBEDTLS_SSL_HEADER_LEN;
142170

143-
init_tx_buffer(ssl, buf);
171+
init_tx_buffer(ssl, esp_buf->buf);
144172

145173
return 0;
146174
}
@@ -150,7 +178,7 @@ int esp_mbedtls_setup_tx_buffer(mbedtls_ssl_context *ssl)
150178
CHECK_OK(esp_mbedtls_alloc_tx_buf(ssl, TX_IDLE_BUFFER_SIZE));
151179

152180
/* mark the out buffer has no data cached */
153-
ssl->out_iv = NULL;
181+
esp_mbedtls_set_buf_state(ssl->out_buf, ESP_MBEDTLS_SSL_BUF_NO_CACHED);
154182

155183
return 0;
156184
}
@@ -168,10 +196,7 @@ int esp_mbedtls_reset_add_tx_buffer(mbedtls_ssl_context *ssl)
168196

169197
int esp_mbedtls_reset_free_tx_buffer(mbedtls_ssl_context *ssl)
170198
{
171-
ESP_LOGV(TAG, "free out buffer @ %p", ssl->out_buf);
172-
173-
mbedtls_free(ssl->out_buf);
174-
199+
esp_mbedtls_free_buf(ssl->out_buf);
175200
init_tx_buffer(ssl, NULL);
176201

177202
CHECK_OK(esp_mbedtls_setup_tx_buffer(ssl));
@@ -181,76 +206,75 @@ int esp_mbedtls_reset_free_tx_buffer(mbedtls_ssl_context *ssl)
181206

182207
int esp_mbedtls_reset_add_rx_buffer(mbedtls_ssl_context *ssl)
183208
{
184-
unsigned char *buf;
209+
struct esp_mbedtls_ssl_buf *esp_buf;
185210

186211
if (ssl->in_buf) {
187-
mbedtls_free(ssl->in_buf);
212+
esp_mbedtls_free_buf(ssl->in_buf);
188213
ssl->in_buf = NULL;
189214
}
190215

191-
buf = mbedtls_calloc(1, MBEDTLS_SSL_IN_BUFFER_LEN);
192-
if (!buf) {
193-
ESP_LOGE(TAG, "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN);
216+
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + MBEDTLS_SSL_IN_BUFFER_LEN);
217+
if (!esp_buf) {
218+
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + MBEDTLS_SSL_IN_BUFFER_LEN);
194219
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
195220
}
196221

197-
ESP_LOGV(TAG, "add in buffer %d bytes @ %p", MBEDTLS_SSL_IN_BUFFER_LEN, buf);
222+
ESP_LOGV(TAG, "add in buffer %d bytes @ %p", MBEDTLS_SSL_IN_BUFFER_LEN, esp_buf->buf);
198223

224+
esp_mbedtls_init_ssl_buf(esp_buf, MBEDTLS_SSL_IN_BUFFER_LEN);
199225
/**
200226
* Mark the in_msg offset from ssl->in_buf.
201-
*
227+
*
202228
* In mbedtls, ssl->in_msg = ssl->in_buf + offset;
203229
*/
204230
ssl->in_msg = (unsigned char *)MBEDTLS_SSL_HEADER_LEN;
205231

206-
init_rx_buffer(ssl, buf);
232+
init_rx_buffer(ssl, esp_buf->buf);
207233

208-
return 0;
234+
return 0;
209235
}
210236

211237
void esp_mbedtls_reset_free_rx_buffer(mbedtls_ssl_context *ssl)
212238
{
213-
ESP_LOGV(TAG, "free in buffer @ %p", ssl->in_buf);
214-
215-
mbedtls_free(ssl->in_buf);
216-
217-
init_rx_buffer(ssl, NULL);
239+
esp_mbedtls_free_buf(ssl->in_buf);
240+
init_rx_buffer(ssl, NULL);
218241
}
219242

220243
int esp_mbedtls_add_tx_buffer(mbedtls_ssl_context *ssl, size_t buffer_len)
221244
{
222245
int ret = 0;
223246
int cached = 0;
224-
unsigned char *buf;
247+
struct esp_mbedtls_ssl_buf *esp_buf;
225248
unsigned char cache_buf[CACHE_BUFFER_SIZE];
226249

227250
ESP_LOGV(TAG, "--> add out");
228251

229252
if (ssl->out_buf) {
230-
if (ssl->out_iv) {
253+
if (esp_mbedtls_get_buf_state(ssl->out_buf) == ESP_MBEDTLS_SSL_BUF_CACHED) {
231254
ESP_LOGV(TAG, "out buffer is not empty");
232255
ret = 0;
233256
goto exit;
234257
} else {
235258
memcpy(cache_buf, ssl->out_buf, CACHE_BUFFER_SIZE);
236-
237-
mbedtls_free(ssl->out_buf);
259+
esp_mbedtls_free_buf(ssl->out_buf);
238260
init_tx_buffer(ssl, NULL);
239261
cached = 1;
240262
}
241263
}
242264

243265
buffer_len = tx_buffer_len(ssl, buffer_len);
244266

245-
buf = mbedtls_calloc(1, buffer_len);
246-
if (!buf) {
247-
ESP_LOGE(TAG, "alloc(%d bytes) failed", buffer_len);
267+
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
268+
if (!esp_buf) {
269+
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
248270
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
249271
goto exit;
250272
}
251273

252-
ESP_LOGV(TAG, "add out buffer %d bytes @ %p", buffer_len, buf);
253-
init_tx_buffer(ssl, buf);
274+
ESP_LOGV(TAG, "add out buffer %d bytes @ %p", buffer_len, esp_buf->buf);
275+
276+
esp_mbedtls_init_ssl_buf(esp_buf, buffer_len);
277+
init_tx_buffer(ssl, esp_buf->buf);
254278

255279
if (cached) {
256280
memcpy(ssl->out_ctr, cache_buf, COUNTER_SIZE);
@@ -270,34 +294,31 @@ int esp_mbedtls_free_tx_buffer(mbedtls_ssl_context *ssl)
270294
{
271295
int ret = 0;
272296
unsigned char buf[CACHE_BUFFER_SIZE];
273-
unsigned char *pdata;
297+
struct esp_mbedtls_ssl_buf *esp_buf;
274298

275299
ESP_LOGV(TAG, "--> free out");
276300

277-
if (!ssl->out_buf || (ssl->out_buf && !ssl->out_iv)) {
301+
if (!ssl->out_buf || (ssl->out_buf && (esp_mbedtls_get_buf_state(ssl->out_buf) == ESP_MBEDTLS_SSL_BUF_NO_CACHED))) {
278302
ret = 0;
279303
goto exit;
280304
}
281305

282306
memcpy(buf, ssl->out_ctr, COUNTER_SIZE);
283307
memcpy(buf + COUNTER_SIZE, ssl->out_iv, CACHE_IV_SIZE);
284308

285-
ESP_LOGV(TAG, "free out buffer @ %p", ssl->out_buf);
286-
287-
mbedtls_free(ssl->out_buf);
288-
309+
esp_mbedtls_free_buf(ssl->out_buf);
289310
init_tx_buffer(ssl, NULL);
290311

291-
pdata = mbedtls_calloc(1, TX_IDLE_BUFFER_SIZE);
292-
if (!pdata) {
293-
ESP_LOGE(TAG, "alloc(%d bytes) failed", TX_IDLE_BUFFER_SIZE);
312+
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + TX_IDLE_BUFFER_SIZE);
313+
if (!esp_buf) {
314+
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + TX_IDLE_BUFFER_SIZE);
294315
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
295316
}
296317

297-
memcpy(pdata, buf, CACHE_BUFFER_SIZE);
298-
init_tx_buffer(ssl, pdata);
299-
ssl->out_iv = NULL;
300-
318+
esp_mbedtls_init_ssl_buf(esp_buf, TX_IDLE_BUFFER_SIZE);
319+
memcpy(esp_buf->buf, buf, CACHE_BUFFER_SIZE);
320+
init_tx_buffer(ssl, esp_buf->buf);
321+
esp_mbedtls_set_buf_state(ssl->out_buf, ESP_MBEDTLS_SSL_BUF_NO_CACHED);
301322
exit:
302323
ESP_LOGV(TAG, "<-- free out");
303324

@@ -309,23 +330,19 @@ int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)
309330
int cached = 0;
310331
int ret = 0;
311332
int buffer_len;
312-
unsigned char *buf;
333+
struct esp_mbedtls_ssl_buf *esp_buf;
313334
unsigned char cache_buf[16];
314335
unsigned char msg_head[5];
315336
size_t in_msglen, in_left;
316337

317338
ESP_LOGV(TAG, "--> add rx");
318339

319340
if (ssl->in_buf) {
320-
if (ssl->in_iv) {
341+
if (esp_mbedtls_get_buf_state(ssl->in_buf) == ESP_MBEDTLS_SSL_BUF_CACHED) {
321342
ESP_LOGV(TAG, "in buffer is not empty");
322343
ret = 0;
323344
goto exit;
324345
} else {
325-
memcpy(cache_buf, ssl->in_buf, 16);
326-
327-
mbedtls_free(ssl->in_buf);
328-
init_rx_buffer(ssl, NULL);
329346
cached = 1;
330347
}
331348
}
@@ -341,7 +358,7 @@ int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)
341358
} else {
342359
ESP_LOGE(TAG, "mbedtls_ssl_fetch_input error=-0x%x", -ret);
343360
}
344-
361+
345362
goto exit;
346363
}
347364

@@ -354,16 +371,23 @@ int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)
354371
ESP_LOGV(TAG, "message length is %d RX buffer length should be %d left is %d",
355372
(int)in_msglen, (int)buffer_len, (int)ssl->in_left);
356373

357-
buf = mbedtls_calloc(1, buffer_len);
358-
if (!buf) {
359-
ESP_LOGE(TAG, "alloc(%d bytes) failed", buffer_len);
374+
if (cached) {
375+
memcpy(cache_buf, ssl->in_buf, 16);
376+
esp_mbedtls_free_buf(ssl->in_buf);
377+
init_rx_buffer(ssl, NULL);
378+
}
379+
380+
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
381+
if (!esp_buf) {
382+
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
360383
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
361384
goto exit;
362385
}
363386

364-
ESP_LOGV(TAG, "add in buffer %d bytes @ %p", buffer_len, buf);
387+
ESP_LOGV(TAG, "add in buffer %d bytes @ %p", buffer_len, esp_buf->buf);
365388

366-
init_rx_buffer(ssl, buf);
389+
esp_mbedtls_init_ssl_buf(esp_buf, buffer_len);
390+
init_rx_buffer(ssl, esp_buf->buf);
367391

368392
if (cached) {
369393
memcpy(ssl->in_ctr, cache_buf, 8);
@@ -377,22 +401,22 @@ int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)
377401
exit:
378402
ESP_LOGV(TAG, "<-- add rx");
379403

380-
return ret;
404+
return ret;
381405
}
382406

383407
int esp_mbedtls_free_rx_buffer(mbedtls_ssl_context *ssl)
384408
{
385409
int ret = 0;
386410
unsigned char buf[16];
387-
unsigned char *pdata;
411+
struct esp_mbedtls_ssl_buf *esp_buf;
388412

389413
ESP_LOGV(TAG, "--> free rx");
390414

391415
/**
392416
* When have read multi messages once, can't free the input buffer directly.
393417
*/
394418
if (!ssl->in_buf || (ssl->in_hslen && (ssl->in_hslen < ssl->in_msglen)) ||
395-
(ssl->in_buf && !ssl->in_iv)) {
419+
(ssl->in_buf && (esp_mbedtls_get_buf_state(ssl->in_buf) == ESP_MBEDTLS_SSL_BUF_NO_CACHED))) {
396420
ret = 0;
397421
goto exit;
398422
}
@@ -407,23 +431,20 @@ int esp_mbedtls_free_rx_buffer(mbedtls_ssl_context *ssl)
407431
memcpy(buf, ssl->in_ctr, 8);
408432
memcpy(buf + 8, ssl->in_iv, 8);
409433

410-
ESP_LOGV(TAG, "free in buffer @ %p", ssl->out_buf);
411-
412-
mbedtls_free(ssl->in_buf);
413-
434+
esp_mbedtls_free_buf(ssl->in_buf);
414435
init_rx_buffer(ssl, NULL);
415436

416-
pdata = mbedtls_calloc(1, 16);
417-
if (!pdata) {
418-
ESP_LOGE(TAG, "alloc(%d bytes) failed", 16);
437+
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + 16);
438+
if (!esp_buf) {
439+
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + 16);
419440
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
420441
goto exit;
421442
}
422443

423-
memcpy(pdata, buf, 16);
424-
init_rx_buffer(ssl, pdata);
425-
ssl->in_iv = NULL;
426-
444+
esp_mbedtls_init_ssl_buf(esp_buf, 16);
445+
memcpy(esp_buf->buf, buf, 16);
446+
init_rx_buffer(ssl, esp_buf->buf);
447+
esp_mbedtls_set_buf_state(ssl->in_buf, ESP_MBEDTLS_SSL_BUF_NO_CACHED);
427448
exit:
428449
ESP_LOGV(TAG, "<-- free rx");
429450

@@ -438,7 +459,7 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
438459
while (cert) {
439460
bytes += cert->raw.len;
440461
n++;
441-
462+
442463
cert = cert->next;
443464
}
444465

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,21 @@
4141
\
4242
})
4343

44+
typedef enum {
45+
ESP_MBEDTLS_SSL_BUF_CACHED,
46+
ESP_MBEDTLS_SSL_BUF_NO_CACHED,
47+
} esp_mbedtls_ssl_buf_states;
48+
49+
struct esp_mbedtls_ssl_buf {
50+
esp_mbedtls_ssl_buf_states state;
51+
unsigned int len;
52+
unsigned char buf[];
53+
};
54+
55+
#define SSL_BUF_HEAD_OFFSET_SIZE offsetof(struct esp_mbedtls_ssl_buf, buf)
56+
57+
void esp_mbedtls_free_buf(unsigned char *buf);
58+
4459
int esp_mbedtls_setup_tx_buffer(mbedtls_ssl_context *ssl);
4560

4661
void esp_mbedtls_setup_rx_buffer(mbedtls_ssl_context *ssl);

0 commit comments

Comments
 (0)