mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-15 06:01:37 +08:00
Code Issues Packages Projects Releases Wiki Activity
bb5f281ad0
openssl/ssl
History
Marcus Huewe c0a58e034d Do not free a session before calling the remove_session_cb 
If the remove_session_cb accesses the session's data (for instance,
via SSL_SESSION_get_protocol_version), a potential use after free
can occur. For this, consider the following scenario when adding
a new session via SSL_CTX_add_session:

- The session cache is full
  (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx))
- Only the session cache has a reference to ctx->session_cache_tail
  (that is, ctx->session_cache_tail->references == 1)

Since the cache is full, remove_session_lock is called to remove
ctx->session_cache_tail from the cache. That is, it
SSL_SESSION_free()s the session, which free()s the data. Afterwards,
the free()d session is passed to the remove_session_cb. If the callback
accesses the session's data, we have a use after free.

The free before calling the callback behavior was introduced in
commit e4612d02c5 ("Remove sessions
from external cache, even if internal cache not used.").

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6222)
2018-06-07 13:08:07 +01:00
..
record Mark DTLS records as read when we have finished with them 2018-05-11 14:20:56 +01:00
statem Reformulate the if condition in tls_process_new_session_ticket 2018-06-07 10:58:35 +01:00
bio_ssl.c
build.info
d1_lib.c
d1_msg.c
d1_srtp.c
methods.c
packet_locl.h
packet.c Update copyright year 2018-04-17 15:18:40 +02:00
pqueue.c Use void in all function definitions that do not take any arguments 2018-05-11 14:37:48 +02:00
s3_cbc.c
s3_enc.c
s3_lib.c Fix no-psk 2018-05-14 17:43:19 +01:00
s3_msg.c
ssl_asn1.c Don't store the ticket nonce in the session 2018-06-07 10:58:35 +01:00
ssl_cert_table.h
ssl_cert.c
ssl_ciph.c Fix configuration of TLSv1.3 ciphersuites 2018-04-04 16:17:26 +01:00
ssl_conf.c Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF 2018-05-17 16:48:25 +01:00
ssl_err.c Fix last(?) batch of malloc-NULL places 2018-04-26 14:02:24 -04:00
ssl_init.c Add a config option to disable automatic config loading 2018-04-17 16:33:15 +02:00
ssl_lib.c Enable SSL_MODE_AUTO_RETRY by default 2018-05-22 22:45:28 +02:00
ssl_locl.h Don't store the ticket nonce in the session 2018-06-07 10:58:35 +01:00
ssl_mcnf.c Move the loading of the ssl_conf module to libcrypto 2018-04-05 15:30:12 +01:00
ssl_rsa.c
ssl_sess.c Do not free a session before calling the remove_session_cb 2018-06-07 13:08:07 +01:00
ssl_stat.c
ssl_txt.c Update copyright year 2018-05-29 13:16:04 +01:00
ssl_utst.c
t1_enc.c GOST MAC algorithms don't support EVP_PKEY_new_raw_private_key() 2018-03-30 19:28:33 +01:00
t1_lib.c Fix EAP-FAST 2018-06-07 09:48:49 +01:00
t1_trce.c Suport TLSv1.3 draft 28 2018-05-15 10:02:59 +01:00
tls13_enc.c Fix TLSv1.3 ticket nonces 2018-06-07 10:58:35 +01:00
tls_srp.c Use the private RNG for data that is not public 2018-04-02 22:22:43 +02:00