Set rlayer.packet to NULL after we've finished using it

In order to ensure we do not have a UAF we reset the rlayer.packet pointer
to NULL after we free it.

CVE-2024-4741

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 1569997bea2d31277f50189f52465eae028a7260..779e998bb6ee063444c46b36bd67849b5a1dfb88 100644 (file)
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -230,6 +230,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
         /* ... now we can act as if 'extend' was set */
     }
 
+    if (!ossl_assert(s->rlayer.packet != NULL)) {
+        /* does not happen */
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+        return -1;
+    }
+
     len = s->rlayer.packet_length;
     pkt = rb->buf + align;
     /*

diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c
index 97b0c26ced81e9e29007ed39f0964fa07cd4c1ac..1a10a7c0b8668468be209d13efb3e263f56f0bc2 100644 (file)
--- a/ssl/record/ssl3_buffer.c
+++ b/ssl/record/ssl3_buffer.c
@@ -191,5 +191,7 @@ int ssl3_release_read_buffer(SSL *s)
         OPENSSL_cleanse(b->buf, b->len);
     OPENSSL_free(b->buf);
     b->buf = NULL;
+    s->rlayer.packet = NULL;
+    s->rlayer.packet_length = 0;
     return 1;
 }