From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 1 Dec 2025 16:14:21 +0000 (+0100)
Subject: dtls_get_reassembled_message(): Fix potential use-after-realloc
X-Git-Tag: 3.6-PRE-CLANG-FORMAT-WEBKIT~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fd79ebc421aa1a6abaf629ea8e3a0a0a63be54c;p=thirdparty%2Fopenssl.git

dtls_get_reassembled_message(): Fix potential use-after-realloc

Fortunately due to the initial size of the allocated
buffer and the limit for unfragmented DTLS record size
the use-after-realloc cannot be triggered.

But we fix the potentially problematic code anyway.

Reported Joshua Rogers. It was found with the ZeroPath security
tooling.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29278)

(cherry picked from commit 6d1d85c31b4840d08b48e57b1812a37cb9aa89ec)
---

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 78baeed9031..b26ecf42ae2 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -946,7 +946,8 @@ static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype,
     }
 
     if (frag_len > 0) {
-        p += DTLS1_HM_HEADER_LENGTH;
+        /* dtls1_preprocess_fragment() above could reallocate init_buf */
+        p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
 
         i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
                                         &p[frag_off], frag_len, 0, &readbytes);