diff options
author | Matt Caswell <matt@openssl.org> | 2023-10-12 15:42:22 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2023-10-23 10:08:12 +0100 |
commit | 1f8a8c1de90ebdb4f3c9dbbf3d1329e3f025e946 (patch) | |
tree | 69177e8e74b2e6075921d9e244cb98754cbd0d13 | |
parent | 94300d8de224e2135e75439e6b9c63eb7ad61fdf (diff) |
Fix a use-after-free in qrx_proces_pkt
When calling qrx_relocate_buffer, both the rxe and the pointer to the token
may be changing locations. We have to use a temporary copy of the token
pointer to avoid referencing the old location of the rxe.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)
-rw-r--r-- | ssl/quic/quic_record_rx.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index 6756ddb151..c75b4e93be 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -939,10 +939,19 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, * * Relocate token buffer and fix pointer. */ - if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL - && !qrx_relocate_buffer(qrx, &rxe, &i, &rxe->hdr.token, - rxe->hdr.token_len)) - goto malformed; + if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL) { + const unsigned char *token = rxe->hdr.token; + + /* + * This may change the value of rxe and change the value of the token + * pointer as well. So we must make a temporary copy of the pointer to + * the token, and then copy it back into the new location of the rxe + */ + if (!qrx_relocate_buffer(qrx, &rxe, &i, &token, rxe->hdr.token_len)) + goto malformed; + + rxe->hdr.token = token; + } /* Now remove header protection. */ *pkt = orig_pkt; |