From: sashan <anedvedicky@gmail.com>
Date: Wed, 11 Jun 2025 06:23:38 +0000 (+0200)
Subject: ossl_rio_poll_builder_add_fd(): Fixup pfds after reallocation
X-Git-Tag: openssl-3.5.1~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65184bf9de91594a1d257f00d021bf5b1f5421c9;p=thirdparty%2Fopenssl.git

ossl_rio_poll_builder_add_fd(): Fixup pfds after reallocation

Local variable `pfds` used in `ossl_rio_poll_builder_add_fd()` must be consistent
with `rpb->pfd_heap`. The function maintains array of SSL objects for SSL_poll(3ossl).
It works with no issues until we need to reallocate `rbp->pfd_heap` in `rpb_ensure_alloc()`.
After `rpb_ensure_alloc()` returns we must update local variable `pfds` with `rpb->pfd_heap`
not doing so makes function to write to dead buffer.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27804)

(cherry picked from commit 5ee8248d083c00583d52350ed9464bfb58d2f60c)
---

diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c
index 3cfbe3b0aca..bd9317a8b8b 100644
--- a/ssl/rio/poll_builder.c
+++ b/ssl/rio/poll_builder.c
@@ -115,8 +115,11 @@ int ossl_rio_poll_builder_add_fd(RIO_POLL_BUILDER *rpb, int fd,
     if (i >= rpb->pfd_alloc) {
         if (!rpb_ensure_alloc(rpb, rpb->pfd_alloc * 2))
             return 0;
+        pfds = rpb->pfd_heap;
     }
 
+    assert((rpb->pfd_heap != NULL && rpb->pfd_heap == pfds) ||
+           (rpb->pfd_heap == NULL && rpb->pfds == pfds));
     assert(i <= rpb->pfd_num && rpb->pfd_num <= rpb->pfd_alloc);
     pfds[i].fd      = fd;
     pfds[i].events  = 0;