[PATCH] cmd: lwip: wget: free mbedtls x509 cert context to avoid memory leak
Naveen Kumar Chaudhary
naveen.osdev at gmail.com
Fri Jul 10 17:21:33 CEST 2026
_set_cacert() calls mbedtls_x509_crt_init(&crt) followed by
mbedtls_x509_crt_parse(), which allocates internal storage (parsed
cert fields, chain links, raw buffers) inside the crt object. The
function then returns on both the error and success paths without
calling mbedtls_x509_crt_free(&crt), so all of that internal state
is leaked when the stack-allocated crt goes out of scope. Every
invocation of "wget cacert ..." leaks memory.
Free the cert object on both return paths.
Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev at gmail.com>
---
cmd/lwip/wget.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cmd/lwip/wget.c b/cmd/lwip/wget.c
index 4883ad61bce..531e886e986 100644
--- a/cmd/lwip/wget.c
+++ b/cmd/lwip/wget.c
@@ -67,12 +67,15 @@ static int _set_cacert(const void *addr, size_t sz)
if (ret) {
if (!wget_info->silent)
printf("Could not parse certificates (%d)\n", ret);
+ mbedtls_x509_crt_free(&crt);
free(cacert);
cacert = NULL;
cacert_size = 0;
return CMD_RET_FAILURE;
}
+ mbedtls_x509_crt_free(&crt);
+
#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT)
cacert_initialized = true;
#endif
--
2.43.0
More information about the U-Boot
mailing list