From: Matt Caswell <matt@openssl.org>
Date: Tue, 23 Apr 2024 15:36:11 +0000 (+0100)
Subject: Set rl->packet to NULL after we've finished using it
X-Git-Tag: openssl-3.4.0-alpha1~519
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfb8128190632092b3a66465838b87b469455cec;p=thirdparty%2Fopenssl.git

Set rl->packet to NULL after we've finished using it

In order to ensure we do not have a UAF we reset the rl->packet pointer
to NULL after we free it.

Follow on from CVE-2024-4741

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)
---

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 88ce83fab12..b09991cafb1 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
         OPENSSL_cleanse(b->buf, b->len);
     OPENSSL_free(b->buf);
     b->buf = NULL;
+    rl->packet = NULL;
+    rl->packet_length = 0;
     return 1;
 }
 
@@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
         /* ... now we can act as if 'extend' was set */
     }
 
+    if (!ossl_assert(rl->packet != NULL)) {
+        /* does not happen */
+        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+        return OSSL_RECORD_RETURN_FATAL;
+    }
+
     len = rl->packet_length;
     pkt = rb->buf + align;
     /*