Set rl->packet to NULL after we've finished using it

In order to ensure we do not have a UAF we reset the rl->packet pointer to NULL after we free it. Follow on from CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24395)
author: Matt Caswell <matt@openssl.org> 2024-04-23 16:36:11 +0100
committer: Matt Caswell <matt@openssl.org> 2024-05-28 13:28:13 +0100
commit: bfb8128190632092b3a66465838b87b469455cec (patch)
tree: a2253b1626f71ad2aa881556ee758e55b197b71a /ssl
parent: 38690cab18de88198f46478565fab423cf534efa (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 88ce83fab1..b09991cafb 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
         OPENSSL_cleanse(b->buf, b->len);
     OPENSSL_free(b->buf);
     b->buf = NULL;
+    rl->packet = NULL;
+    rl->packet_length = 0;
     return 1;
 }
 
@@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
         /* ... now we can act as if 'extend' was set */
     }
 
+    if (!ossl_assert(rl->packet != NULL)) {
+        /* does not happen */
+        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+        return OSSL_RECORD_RETURN_FATAL;
+    }
+
     len = rl->packet_length;
     pkt = rb->buf + align;
     /*
author	Matt Caswell <matt@openssl.org>	2024-04-23 16:36:11 +0100
committer	Matt Caswell <matt@openssl.org>	2024-05-28 13:28:13 +0100
commit	bfb8128190632092b3a66465838b87b469455cec (patch)
tree	a2253b1626f71ad2aa881556ee758e55b197b71a /ssl
parent	38690cab18de88198f46478565fab423cf534efa (diff)