From 6d1d85c31b4840d08b48e57b1812a37cb9aa89ec Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 1 Dec 2025 17:14:21 +0100
Subject: [PATCH] dtls_get_reassembled_message(): Fix potential
 use-after-realloc

Fortunately due to the initial size of the allocated
buffer and the limit for unfragmented DTLS record size
the use-after-realloc cannot be triggered.

But we fix the potentially problematic code anyway.

Reported Joshua Rogers. It was found with the ZeroPath security
tooling.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29278)
---
 ssl/statem/statem_dtls.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 78baeed9031..b26ecf42ae2 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -946,7 +946,8 @@ static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype,
     }
 
     if (frag_len > 0) {
-        p += DTLS1_HM_HEADER_LENGTH;
+        /* dtls1_preprocess_fragment() above could reallocate init_buf */
+        p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
 
         i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
                                         &p[frag_off], frag_len, 0, &readbytes);
-- 
2.47.3