From: Robert Schulze <robert@clickhouse.com>
Date: Tue, 18 Jun 2024 14:43:26 +0000 (+0000)
Subject: Fix data race between SSL_SESSION_list_add and ssl_session_dup
X-Git-Tag: openssl-3.3.2~114
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e57d1a7794ece9c98b94697d5de7c1806df0fad8;p=thirdparty%2Fopenssl.git

Fix data race between SSL_SESSION_list_add and ssl_session_dup

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24673)

(cherry picked from commit 79886c85b378d73aec4d96f8e258f12915faddf7)
---

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 91217d60215..3b571991e46 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -139,7 +139,15 @@ static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
     dest = OPENSSL_malloc(sizeof(*dest));
     if (dest == NULL)
         return NULL;
-    memcpy(dest, src, sizeof(*dest));
+
+    /*
+     * Copy until prev ptr, because it's a part of sessons cache which can be modified
+     * concurrently. Other fields filled in the code bellow.
+     */
+    memcpy(dest, src, offsetof(SSL_SESSION, prev));
+    dest->ext = src->ext;
+    dest->ticket_appdata_len = src->ticket_appdata_len;
+    dest->flags = src->flags;
 
     /*
      * Set the various pointers to NULL so that we can call SSL_SESSION_free in