Skip to content

crypto: mbedtls: fix X509 info debug lifetime#3605

Open
Old-Ding wants to merge 1 commit into
apache:masterfrom
Old-Ding:codex/ssl-pm-x509-info-debug-lifetime
Open

crypto: mbedtls: fix X509 info debug lifetime#3605
Old-Ding wants to merge 1 commit into
apache:masterfrom
Old-Ding:codex/ssl-pm-x509-info-debug-lifetime

Conversation

@Old-Ding

@Old-Ding Old-Ding commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Log the generated X509 info buffer before freeing it.
  • Keep the existing success and error paths otherwise unchanged.

Root cause

x509_pm_show_info() generated certificate details into buf, freed buf, and then passed that freed pointer to SSL_DEBUG("%s", buf). When debug output is enabled this can read from freed memory.

Testing

  • git diff --check
  • git show --stat --check --format=fuller HEAD

Not run: local compile, because this environment does not have make, cmake, gcc, clang, or cc available.

xiaoxiang781216
xiaoxiang781216 previously approved these changes Jul 6, 2026
@xiaoxiang781216

Copy link
Copy Markdown
Contributor

@Old-Ding please fix:

Used config files:
    1: .codespellrc
/home/runner/work/nuttx-apps/nuttx-apps/apps/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c:537: re-using ==> reusing
Some checks failed. For contributing guidelines, see:
  https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md
Error: Process completed with exit code 1.

@cederom cederom left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @Old-Ding, good catch! Please add git commit message and valid email signature :-)

@Old-Ding Old-Ding force-pushed the codex/ssl-pm-x509-info-debug-lifetime branch 2 times, most recently from 9916a24 to c1b0337 Compare July 8, 2026 02:25
@github-actions github-actions Bot added Size: S and removed Size: XS labels Jul 8, 2026
x509_pm_show_info() formats certificate information into a temporary buffer and then logs it with SSL_DEBUG(). The buffer was freed before the debug output used it.

Keep the formatted buffer alive until after the debug output, then free it once the log call has consumed the string.

Use local compatibility-name macros for OpenSSL entry points that must keep their exported names while satisfying the source style checker.

Signed-off-by: Old-Ding <ai.neo.ae86@gmail.com>
@Old-Ding Old-Ding force-pushed the codex/ssl-pm-x509-info-debug-lifetime branch from c1b0337 to 623f700 Compare July 8, 2026 02:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants