This bug could be reproduced with -dMfail option and detected by libasan.
During the TLS secrets allocations, when failed, quic_tls_ctx_secs_free()
is called. It resets the already initialized secrets. Some were detected
as initialized when not, or with a non initialized length, which leads
to big "memset(0)" detected by libsasan.
Ensure that all the secrets are really initialized with correct lengths.
No need to be backported.
ctx->rx.hp_ctx = NULL;
ctx->rx.hp = NULL;
ctx->rx.secret = NULL;
+ ctx->rx.secretlen = 0;
ctx->rx.iv = NULL;
+ ctx->rx.ivlen = 0;
ctx->rx.key = NULL;
+ ctx->rx.keylen = 0;
ctx->rx.pn = 0;
ctx->tx.ctx = NULL;
ctx->tx.hp_ctx = NULL;
ctx->tx.hp = NULL;
ctx->tx.secret = NULL;
+ ctx->tx.secretlen = 0;
ctx->tx.iv = NULL;
+ ctx->tx.ivlen = 0;
ctx->tx.key = NULL;
+ ctx->tx.keylen = 0;
/* Not used on the TX path. */
ctx->tx.pn = 0;
ctx->rx.md = ctx->tx.md = EVP_sha256();
ctx->rx.hp = ctx->tx.hp = EVP_aes_128_ctr();
+ ctx->rx.iv = NULL;
+ ctx->rx.ivlen = 0;
+ ctx->rx.key = NULL;
+ ctx->rx.keylen = 0;
+ ctx->rx.secret = NULL;
+ ctx->rx.secretlen = 0;
+
+ ctx->tx.iv = NULL;
+ ctx->tx.ivlen = 0;
+ ctx->tx.key = NULL;
+ ctx->tx.keylen = 0;
+ ctx->tx.secret = NULL;
+ ctx->tx.secretlen = 0;
+
return quic_tls_ctx_keys_alloc(ctx);
}
projects / thirdparty / haproxy.git / commitdiff
