Set rl->packet to NULL after we've finished using it

In order to ensure we do not have a UAF we reset the rl->packet pointer
to NULL after we free it.

Follow on from CVE-2024-4741

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 88ce83fab12f724f9c868b177a12c8afb8a6edb0..b09991cafb1d7c7cd1b874846da6157e492db32b 100644 (file)
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
         OPENSSL_cleanse(b->buf, b->len);
     OPENSSL_free(b->buf);
     b->buf = NULL;
+    rl->packet = NULL;
+    rl->packet_length = 0;
     return 1;
 }
 
@@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
         /* ... now we can act as if 'extend' was set */
     }
 
+    if (!ossl_assert(rl->packet != NULL)) {
+        /* does not happen */
+        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+        return OSSL_RECORD_RETURN_FATAL;
+    }
+
     len = rl->packet_length;
     pkt = rb->buf + align;
     /*