diff options
author | Matt Caswell <matt@openssl.org> | 2024-04-23 16:36:11 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2024-05-28 13:28:13 +0100 |
commit | bfb8128190632092b3a66465838b87b469455cec (patch) | |
tree | a2253b1626f71ad2aa881556ee758e55b197b71a /ssl | |
parent | 38690cab18de88198f46478565fab423cf534efa (diff) |
Set rl->packet to NULL after we've finished using it
In order to ensure we do not have a UAF we reset the rl->packet pointer
to NULL after we free it.
Follow on from CVE-2024-4741
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/record/methods/tls_common.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 88ce83fab1..b09991cafb 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl) OPENSSL_cleanse(b->buf, b->len); OPENSSL_free(b->buf); b->buf = NULL; + rl->packet = NULL; + rl->packet_length = 0; return 1; } @@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, /* ... now we can act as if 'extend' was set */ } + if (!ossl_assert(rl->packet != NULL)) { + /* does not happen */ + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return OSSL_RECORD_RETURN_FATAL; + } + len = rl->packet_length; pkt = rb->buf + align; /* |