zero data in hm_fragment on alloc

if we allocate a new hm_frament in dtls1_buffer_message with dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the msg_header field. If an error then occurs, and we free the fragment, dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and potentially references undefined values, or worse, accidentally references available memory that is not owned, leading to various corruptions. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22679)
author: Neil Horman <nhorman@openssl.org> 2023-11-09 08:13:58 -0500
committer: Richard Levitte <levitte@openssl.org> 2023-11-21 13:09:28 +0100
commit: e59ed0bfeece9db433809af2cebbe271a402d59b (patch)
tree: 80093609e32c33bc13a54eca2063fe17b9c33b5e /ssl
parent: 5091aadc223315ce115ee12f62df2af173bf5efb (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index a88b0dfeac..97d9f4591c 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -62,7 +62,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly)
     unsigned char *buf = NULL;
     unsigned char *bitmask = NULL;
 
-    if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL)
+    if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL)
         return NULL;
 
     if (frag_len) {
author	Neil Horman <nhorman@openssl.org>	2023-11-09 08:13:58 -0500
committer	Richard Levitte <levitte@openssl.org>	2023-11-21 13:09:28 +0100
commit	e59ed0bfeece9db433809af2cebbe271a402d59b (patch)
tree	80093609e32c33bc13a54eca2063fe17b9c33b5e /ssl
parent	5091aadc223315ce115ee12f62df2af173bf5efb (diff)