mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-12 20:30:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Set rl->packet to NULL after we've finished using it

Browse Source 
In order to ensure we do not have a UAF we reset the rl->packet pointer
to NULL after we free it.

Follow on from CVE-2024-4741

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)
This commit is contained in:
Matt Caswell 2024-04-23 16:36:11 +01:00
parent 38690cab18
commit bfb8128190
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ssl/record/methods/tls_common.c
View File

@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
OPENSSL_cleanse(b->buf, b->len);
OPENSSL_free(b->buf);
b->buf = NULL;
rl->packet = NULL;
rl->packet_length = 0;
return 1;
}
@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
/* ... now we can act as if 'extend' was set */
}
if (!ossl_assert(rl->packet != NULL)) {
/* does not happen */
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return OSSL_RECORD_RETURN_FATAL;
}
len = rl->packet_length;
pkt = rb->buf + align;
/*