[PATCH] lib/mbedtls: Do not use ERR_PTR with mbedTLS error codes

Vsevolod Kozlov zaba at mm.st
Sun Jul 5 08:46:28 CEST 2026


MbedTLS functions usually return zero for success and negative error
codes to indicate failure, but its error codes lie way outside the range
of -MAX_ERRNO, so using them with ERR_PTR creates values that do not
pass the IS_ERR check and lead to crashes. Substitute them with a
fixed error code to avoid problems.

Signed-off-by: Vsevolod Kozlov <zaba at mm.st>
---
 lib/mbedtls/pkcs7_parser.c     | 5 +++++
 lib/mbedtls/x509_cert_parser.c | 6 +++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/mbedtls/pkcs7_parser.c b/lib/mbedtls/pkcs7_parser.c
index bf8ee17b5b8..2c85dcc9699 100644
--- a/lib/mbedtls/pkcs7_parser.c
+++ b/lib/mbedtls/pkcs7_parser.c
@@ -495,6 +495,11 @@ struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen)
 parse_fail:
 	mbedtls_pkcs7_free(&pkcs7_ctx);
 	pkcs7_free_message(msg);
+
+	/* MbedTLS error codes lie beyond MAX_ERRNO and are not suitable
+	 * for ERR_PTR, but can be useful for debugging. */
+	debug("mbedtls returned error: %x\n", ret);
+	ret = -EINVAL;
 out_no_msg:
 	msg = ERR_PTR(ret);
 	return msg;
diff --git a/lib/mbedtls/x509_cert_parser.c b/lib/mbedtls/x509_cert_parser.c
index e163e16b9bc..1c70a8fcdcb 100644
--- a/lib/mbedtls/x509_cert_parser.c
+++ b/lib/mbedtls/x509_cert_parser.c
@@ -425,7 +425,7 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
 {
 	mbedtls_x509_crt mbedtls_cert;
 	struct x509_certificate *cert = NULL;
-	long ret;
+	int ret;
 
 	/* Parse DER encoded certificate */
 	mbedtls_x509_crt_init(&mbedtls_cert);
@@ -443,5 +443,9 @@ clean_up_ctx:
 	if (!ret)
 		return cert;
 
+	/* MbedTLS error codes lie beyond MAX_ERRNO and are not suitable
+	 * for ERR_PTR, but can be useful for debugging. */
+	debug("mbedtls returned error: %x\n", ret);
+	ret = -EINVAL;
 	return ERR_PTR(ret);
 }
-- 
2.47.3



More information about the U-Boot mailing list