zero data in hm_fragment on alloc

if we allocate a new hm_frament in dtls1_buffer_message with dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the msg_header field. If an error then occurs, and we free the fragment, dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and potentially references undefined values, or worse, accidentally references available memory that is not owned, leading to various corruptions. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22679) (cherry picked from commit e59ed0bfeece9db433809af2cebbe271a402d59b)
author: Neil Horman <nhorman@openssl.org> 2023-11-09 08:13:58 -0500
committer: Richard Levitte <levitte@openssl.org> 2023-11-21 13:12:15 +0100
commit: 1ea038bfa2726ad1bfbc220c8955c0fead9393d5 (patch)
tree: be504ecbcf230504b2804d121c87a49ec7f6156d /ssl
parent: 3b866985ba8a85b85034eb01d6ad286db678bb13 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index a88b0dfeac..97d9f4591c 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -62,7 +62,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly)
     unsigned char *buf = NULL;
     unsigned char *bitmask = NULL;
 
-    if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL)
+    if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL)
         return NULL;
 
     if (frag_len) {
author	Neil Horman <nhorman@openssl.org>	2023-11-09 08:13:58 -0500
committer	Richard Levitte <levitte@openssl.org>	2023-11-21 13:12:15 +0100
commit	1ea038bfa2726ad1bfbc220c8955c0fead9393d5 (patch)
tree	be504ecbcf230504b2804d121c87a49ec7f6156d /ssl
parent	3b866985ba8a85b85034eb01d6ad286db678bb13 (diff)