openssl/ssl/quic
Neil Horman bbfffbcaf3 Fix SSL_stream_reset for stream objects which have FIN bit set
When calling SSL_stream_reset on a QUIC stream object that has received
all data that is expected to be sent (i.e. when the sender has sent a
STREAM frame with the FIN bit set), we encounter the following segfault:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273
273	    if (!qss->have_final_size)
(gdb) bt
0)  0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273
1)  0x00007ffff7ef65bf in quic_validate_for_write (xso=0x5555555efcb0, err=0x7fffffffd5e0) at ssl/quic/quic_impl.c:2513
2)  0x00007ffff7ef8ae3 in ossl_quic_stream_reset (ssl=0x5555555efcb0, args=0x0, args_len=0) at ssl/quic/quic_impl.c:3657
3)  0x00007ffff7ebdaa6 in SSL_stream_reset (s=0x5555555efcb0, args=0x0, args_len=0) at ssl/ssl_lib.c:7635
4)  0x0000555555557527 in build_request_set (
    req_list=0x55555555ebd0 "neil1.txt neil2.txt neil3.txt neil4.txt neil5.txt neil6.txt neil7.txt neil8.txt neil9.txt neil10.txt neil11.txt neil12.txt neil13.txt neil14.txt neil15.txt neil16.txt neil17.txt neil18.txt neil19.txt "..., ssl=0x5555555b6f80)
    at demos/guide/quic-hq-interop.c:545
5)  0x00005555555587b2 in main (argc=4, argv=0x7fffffffe568) at demos/guide/quic-hq-interop.c:941

This occurs because:
1) When the stream FIN bit is set, the quic stack frees the underlying
   stream structures immediately within the QUIC stack
and
2) when SSL_stream_reset is called, the call stack indicates we call
   quic_validate_for_write, which attempts to access the
   xso->stream->sstream QUIC_SSTREAM object, which was already freed in
   (1)

The fix I think is pretty straightforward.  On receipt of a STREAM frame
with a FIN bit set, the QUIC stack sets the QUIC_STREAM object state to
QUIC_SSTREAM_STATE_DATA_RECVD, which means we can use that state to
simply assert that the stream is valid for write, which allows it to be
reset properly.

Fixes #25410

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25910)
2024-11-13 10:55:08 -05:00
..
build.info
cc_newreno.c
json_enc.c
qlog_event_helpers.c
qlog.c
quic_ackm.c
quic_cfq.c Copyright year updates 2024-09-05 09:35:49 +02:00
quic_channel_local.h
quic_channel.c
quic_demux.c
quic_engine_local.h
quic_engine.c Rename list macros 2024-09-26 10:02:30 +02:00
quic_fc.c
quic_fifd.c
quic_impl.c Fix SSL_stream_reset for stream objects which have FIN bit set 2024-11-13 10:55:08 -05:00
quic_lcidm.c
quic_local.h
quic_method.c
quic_port_local.h
quic_port.c Keep hold of a reference to the user SSL in QUIC 2024-11-07 12:05:23 +01:00
quic_rcidm.c Rename list macros 2024-09-26 10:02:30 +02:00
quic_reactor.c
quic_record_rx.c
quic_record_shared.c
quic_record_shared.h
quic_record_tx.c
quic_record_util.c Copyright year updates 2024-09-05 09:35:49 +02:00
quic_rstream.c
quic_rx_depack.c
quic_sf_list.c
quic_srt_gen.c
quic_srtm.c
quic_sstream.c
quic_statm.c
quic_stream_map.c Add (void) cast to result of ossl_quic_rxfc_on_retire() 2024-07-08 18:17:15 +02:00
quic_thread_assist.c
quic_tls.c
quic_trace.c Copyright year updates 2024-09-05 09:35:49 +02:00
quic_tserver.c
quic_txp.c txp_generate_stream_frames(): Set stream id in header early enough 2024-11-12 16:56:09 +01:00
quic_txpim.c
quic_types.c
quic_wire_pkt.c Fix memory leaks in ossl_quic_calculate_retry_integrity_tag() 2024-10-23 15:14:08 +02:00
quic_wire.c
uint_set.c