diff options
author | Neil Horman <nhorman@openssl.org> | 2023-11-09 08:13:58 -0500 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2023-11-21 13:12:15 +0100 |
commit | 1ea038bfa2726ad1bfbc220c8955c0fead9393d5 (patch) | |
tree | be504ecbcf230504b2804d121c87a49ec7f6156d /ssl | |
parent | 3b866985ba8a85b85034eb01d6ad286db678bb13 (diff) |
zero data in hm_fragment on alloc
if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field. If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22679)
(cherry picked from commit e59ed0bfeece9db433809af2cebbe271a402d59b)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/statem_dtls.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index a88b0dfeac..97d9f4591c 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -62,7 +62,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) unsigned char *buf = NULL; unsigned char *bitmask = NULL; - if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) + if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL) return NULL; if (frag_len) { |