From: Matt Caswell <matt@openssl.org>
Date: Tue, 23 Apr 2024 15:34:46 +0000 (+0100)
Subject: Only free the read buffers if we're not using them
X-Git-Tag: openssl-3.3.1~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5093133c35ca82874ad83697af76f4b0f7e3bd8;p=thirdparty%2Fopenssl.git

Only free the read buffers if we're not using them

If we're part way through processing a record, or the application has
not released all the records then we should not free our buffer because
they are still needed.

CVE-2024-4741

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)

(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa)
---

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index b7481c071f7..01cf3012b8c 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -2124,7 +2124,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl)
     /* Read direction */
 
     /* If we have pending data to be read then fail */
-    if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
+    if (rl->curr_rec < rl->num_recs
+            || rl->curr_rec != rl->num_released
+            || TLS_BUFFER_get_left(&rl->rbuf) != 0
+            || rl->rstate == SSL_ST_READ_BODY)
         return 0;
 
     return tls_release_read_buffer(rl);