From: Frédéric Lécaille Date: Wed, 8 Nov 2023 14:59:00 +0000 (+0100) Subject: BUG/MEDIUM: quic: Possible crashes during secrets allocations (heavy load) X-Git-Tag: v2.9-dev10~120 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0016dbaef40e734aef520817ee930e67c3fa784f;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: quic: Possible crashes during secrets allocations (heavy load) This bug could be reproduced with -dMfail option and detected by libasan. During the TLS secrets allocations, when failed, quic_tls_ctx_secs_free() is called. It resets the already initialized secrets. Some were detected as initialized when not, or with a non initialized length, which leads to big "memset(0)" detected by libsasan. Ensure that all the secrets are really initialized with correct lengths. No need to be backported. --- diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index 9f964398ca..cc63709c3d 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -685,8 +685,11 @@ static inline void quic_tls_ctx_reset(struct quic_tls_ctx *ctx) ctx->rx.hp_ctx = NULL; ctx->rx.hp = NULL; ctx->rx.secret = NULL; + ctx->rx.secretlen = 0; ctx->rx.iv = NULL; + ctx->rx.ivlen = 0; ctx->rx.key = NULL; + ctx->rx.keylen = 0; ctx->rx.pn = 0; ctx->tx.ctx = NULL; @@ -695,8 +698,11 @@ static inline void quic_tls_ctx_reset(struct quic_tls_ctx *ctx) ctx->tx.hp_ctx = NULL; ctx->tx.hp = NULL; ctx->tx.secret = NULL; + ctx->tx.secretlen = 0; ctx->tx.iv = NULL; + ctx->tx.ivlen = 0; ctx->tx.key = NULL; + ctx->tx.keylen = 0; /* Not used on the TX path. */ ctx->tx.pn = 0; @@ -835,6 +841,20 @@ static inline int quic_initial_tls_ctx_init(struct quic_tls_ctx *ctx) ctx->rx.md = ctx->tx.md = EVP_sha256(); ctx->rx.hp = ctx->tx.hp = EVP_aes_128_ctr(); + ctx->rx.iv = NULL; + ctx->rx.ivlen = 0; + ctx->rx.key = NULL; + ctx->rx.keylen = 0; + ctx->rx.secret = NULL; + ctx->rx.secretlen = 0; + + ctx->tx.iv = NULL; + ctx->tx.ivlen = 0; + ctx->tx.key = NULL; + ctx->tx.keylen = 0; + ctx->tx.secret = NULL; + ctx->tx.secretlen = 0; + return quic_tls_ctx_keys_alloc(ctx); }