feat(mbedtls): skip memset ssl buffers with dynamic buffer enabled.

As with dynamic buffer feature enabled, the buffers are handled dynamically, there is no need to memset these on connection reset. This can help to save some heap memory allocation.
2026-06-05 21:14:47 +00:00 · 2025-07-28 14:07:05 +08:00
parent 635267f5e3
commit ffb280bb63
3 changed files with 12 additions and 0 deletions
@@ -1344,6 +1344,7 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
                                       sig, sig_size, sig_len);
 #else /* MBEDTLS_USE_PSA_CRYPTO */

+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
    if (ctx->pk_info->type == MBEDTLS_PK_RSA_ALT) {
        mbedtls_rsa_alt_context *rsa_alt = ctx->pk_ctx;
        mbedtls_rsa_context *rsa = (mbedtls_rsa_context *)rsa_alt->key;
@@ -1353,6 +1354,7 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
                                sig, sig_size, sig_len, f_rng, p_rng);
        }
    }
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */

    if (sig_size < mbedtls_pk_get_len(ctx)) {
        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
@@ -1468,6 +1468,12 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
    size_t in_buf_len = ssl->in_buf_len;
    size_t out_buf_len = ssl->out_buf_len;
+/* ESP Change: For dynamic buffer feature, the buffer allocation shall be 
+ * handled on-demand basis and hence skip the memset in this API on the buffer pointers 
+ */
+#elif defined(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
+    size_t in_buf_len = 0;
+    size_t out_buf_len = 0;
 #else
    size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
@@ -7,6 +7,10 @@ cve-keywords:
  - mbed tls
  - mbedtls
 cve-exclude-list:
+  - cve: CVE-2025-54764
+    reason: Fixed in 3.6.5
+  - cve: CVE-2025-59438
+    reason: Fixed in 3.6.5
  - cve: CVE-2025-52496
    reason: Fixed in 3.6.4
  - cve: CVE-2025-27810