Merge remote-tracking branch 'upstream-public/pr/1942' into development
Resolve conflicts in ChangeLog
diff --git a/ChangeLog b/ChangeLog
index 61d0e4e..0598cfa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,8 @@
This improves compliance to RFC 4492, and as a result, solves
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
* Replace printf with mbedtls_printf in aria. Found by TrinityTonic in #1908.
+ * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
+ and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
Changes
* Copy headers preserving timestamps when doing a "make install".
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 91f96c8..3b047fc 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5973,6 +5973,9 @@
ssl->transform_in = NULL;
ssl->transform_out = NULL;
+ ssl->session_in = NULL;
+ ssl->session_out = NULL;
+
memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
if( partial == 0 )
memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
@@ -6842,14 +6845,14 @@
size_t transform_expansion;
const mbedtls_ssl_transform *transform = ssl->transform_out;
+ if( transform == NULL )
+ return( (int) mbedtls_ssl_hdr_len( ssl ) );
+
#if defined(MBEDTLS_ZLIB_SUPPORT)
if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
- if( transform == NULL )
- return( (int) mbedtls_ssl_hdr_len( ssl ) );
-
switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
{
case MBEDTLS_MODE_GCM:
