]> git.ipfire.org Git - thirdparty/openvpn.git/commitdiff
Fix ack_write_buf use after free
authorMax Fillinger <maximilian.fillinger@sentyron.com>
Fri, 22 May 2026 14:55:13 +0000 (16:55 +0200)
committerGert Doering <gert@greenie.muc.de>
Wed, 1 Jul 2026 07:49:29 +0000 (09:49 +0200)
If the active TLS session has a pending dedicated ACK packet,
tls_multi_process sets to_link to ks->ack_write_buf. If in the same
execution of tls_multi_process, the initializing session reaches the
authenticated stage, the active session will be freed which leaves
to_link.data pointing to freed memory.

This commit extends check_session_buf_not_used so that it also checks
ks->ack_write_buf for all key states.

CVE: 2026-12996
Github: OpenVPN/openvpn-private-issues#121
Github: OpenVPN/openvpn-private-issues#127
Reported-By: Hcamael
Reported-By: 章鱼哥 (www.aipyaipy.com)
Github: OpenVPN/openvpn-private-issues#131
Reported-By: Haiyang Huang <huanghaiyang83@gmail.com>
Github: OpenVPN/openvpn-private-issues#132
Reported-By: Haruki Oyama (Waseda University)
Change-Id: Ia6aee772999d87b45a51bf5855c4f266ad7fb3f4
Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com>
Acked-By: Arne Schwabe <arne@rfc2549.org>
src/openvpn/ssl.c

index eb1137fcbc75859a5e0353f0eb27dc37f1af19c9..85546020da8a84a769f46981f7059672177abd4c 100644 (file)
@@ -3203,6 +3203,12 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
                 goto used;
             }
         }
+        if (ks->ack_write_buf.data == dataptr)
+        {
+            msg(M_INFO, "Warning buffer of freed TLS session is still in use (session->key[%d].ack_write_buf)", i);
+
+            goto used;
+        }
     }
     return;