1Security 2 * Fix possible usr-after-free or double-free in code calling 3 mbedtls_x509_string_to_names(). This was caused by the function calling 4 mbedtls_asn1_free_named_data_list() on its head argument, while the 5 documentation did no suggest it did, making it likely for callers relying 6 on the documentd behaviour to still hold pointers to memory blocks after 7 they were free()d, resulting in high risk of use-after-free or double-free, 8 with consequences ranging up to arbitrary code execution. 9 Inparticular, the two sample programs x509/cert_write and x509/cert_req 10 were affected (use_after_free if the san string contains more than one DN). 11 Code that does not call mbedtls_string_to_names() directly is not affected. 12 Found by Linh Le and Ngan Nguyen from Calif. 13 14Changes 15 * The function mbedtls_string_to_names() now requires its head argument 16 to point to NULL on entry. This makes it likely that existing risky uses of 17 this function (see the entry in the Security seciton) will be detected and 18 fixed.