From d9dd9afc9354e739954f55db85af7401ec9ca6ba Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 23 Apr 2024 16:36:11 +0100 Subject: [PATCH] Set rl->packet to NULL after we've finished using it In order to ensure we do not have a UAF we reset the rl->packet pointer to NULL after we free it. Follow on from CVE-2024-4741 Reviewed-by: Tomas Mraz Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/24395) (cherry picked from commit bfb8128190632092b3a66465838b87b469455cec) --- ssl/record/methods/tls_common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 01cf3012b8c..6cb8e887044 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl) OPENSSL_cleanse(b->buf, b->len); OPENSSL_free(b->buf); b->buf = NULL; + rl->packet = NULL; + rl->packet_length = 0; return 1; } @@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, /* ... now we can act as if 'extend' was set */ } + if (!ossl_assert(rl->packet != NULL)) { + /* does not happen */ + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return OSSL_RECORD_RETURN_FATAL; + } + len = rl->packet_length; pkt = rb->buf + align; /* -- 2.47.2