Fix a use-after-free in qrx_proces_pkt

When calling qrx_relocate_buffer, both the rxe and the pointer to the token
may be changing locations. We have to use a temporary copy of the token
pointer to avoid referencing the old location of the rxe.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

1 files changed, 13 insertions, 4 deletions

diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c
index 6756ddb151..c75b4e93be 100644
--- a/ssl/quic/quic_record_rx.c
+++ b/ssl/quic/quic_record_rx.c
@@ -939,10 +939,19 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
      *
      * Relocate token buffer and fix pointer.
      */
-    if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL
-        && !qrx_relocate_buffer(qrx, &rxe, &i, &rxe->hdr.token,
-                                rxe->hdr.token_len))
-        goto malformed;
+    if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL) {
+        const unsigned char *token = rxe->hdr.token;
+
+        /*
+         * This may change the value of rxe and change the value of the token
+         * pointer as well. So we must make a temporary copy of the pointer to
+         * the token, and then copy it back into the new location of the rxe
+         */
+        if (!qrx_relocate_buffer(qrx, &rxe, &i, &token, rxe->hdr.token_len))
+            goto malformed;
+
+        rxe->hdr.token = token;
+    }
 
     /* Now remove header protection. */
     *pkt = orig_pkt;