[PATCH] lib/mbedtls: Do not use ERR_PTR with mbedTLS error codes
Vsevolod Kozlov
zaba at mm.st
Sun Jul 5 08:46:28 CEST 2026
MbedTLS functions usually return zero for success and negative error
codes to indicate failure, but its error codes lie way outside the range
of -MAX_ERRNO, so using them with ERR_PTR creates values that do not
pass the IS_ERR check and lead to crashes. Substitute them with a
fixed error code to avoid problems.
Signed-off-by: Vsevolod Kozlov <zaba at mm.st>
---
lib/mbedtls/pkcs7_parser.c | 5 +++++
lib/mbedtls/x509_cert_parser.c | 6 +++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/lib/mbedtls/pkcs7_parser.c b/lib/mbedtls/pkcs7_parser.c
index bf8ee17b5b8..2c85dcc9699 100644
--- a/lib/mbedtls/pkcs7_parser.c
+++ b/lib/mbedtls/pkcs7_parser.c
@@ -495,6 +495,11 @@ struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen)
parse_fail:
mbedtls_pkcs7_free(&pkcs7_ctx);
pkcs7_free_message(msg);
+
+ /* MbedTLS error codes lie beyond MAX_ERRNO and are not suitable
+ * for ERR_PTR, but can be useful for debugging. */
+ debug("mbedtls returned error: %x\n", ret);
+ ret = -EINVAL;
out_no_msg:
msg = ERR_PTR(ret);
return msg;
diff --git a/lib/mbedtls/x509_cert_parser.c b/lib/mbedtls/x509_cert_parser.c
index e163e16b9bc..1c70a8fcdcb 100644
--- a/lib/mbedtls/x509_cert_parser.c
+++ b/lib/mbedtls/x509_cert_parser.c
@@ -425,7 +425,7 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
{
mbedtls_x509_crt mbedtls_cert;
struct x509_certificate *cert = NULL;
- long ret;
+ int ret;
/* Parse DER encoded certificate */
mbedtls_x509_crt_init(&mbedtls_cert);
@@ -443,5 +443,9 @@ clean_up_ctx:
if (!ret)
return cert;
+ /* MbedTLS error codes lie beyond MAX_ERRNO and are not suitable
+ * for ERR_PTR, but can be useful for debugging. */
+ debug("mbedtls returned error: %x\n", ret);
+ ret = -EINVAL;
return ERR_PTR(ret);
}
--
2.47.3
More information about the U-Boot
mailing list