If the active TLS session has a pending dedicated ACK packet,
tls_multi_process sets to_link to ks->ack_write_buf. If in the same
execution of tls_multi_process, the initializing session reaches the
authenticated stage, the active session will be freed which leaves
to_link.data pointing to freed memory.
This commit extends check_session_buf_not_used so that it also checks
ks->ack_write_buf for all key states.
CVE: 2026-12996
Github: OpenVPN/openvpn-private-issues#121
Github: OpenVPN/openvpn-private-issues#127
Reported-By: Hcamael
Reported-By: 章鱼哥 (www.aipyaipy.com)
Github: OpenVPN/openvpn-private-issues#131
Reported-By: Haiyang Huang <huanghaiyang83@gmail.com>
Github: OpenVPN/openvpn-private-issues#132
Reported-By: Haruki Oyama (Waseda University)
Change-Id: Ia6aee772999d87b45a51bf5855c4f266ad7fb3f4
Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com>
Acked-By: Arne Schwabe <arne@rfc2549.org>
goto used;
}
}
+ if (ks->ack_write_buf.data == dataptr)
+ {
+ msg(M_INFO, "Warning buffer of freed TLS session is still in use (session->key[%d].ack_write_buf)", i);
+
+ goto used;
+ }
}
return;