From: Max Fillinger Date: Fri, 22 May 2026 14:55:13 +0000 (+0200) Subject: Fix ack_write_buf use after free X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=97f39e1e993ba2217623a5b4ea16f879b2fb6a1e;p=thirdparty%2Fopenvpn.git Fix ack_write_buf use after free If the active TLS session has a pending dedicated ACK packet, tls_multi_process sets to_link to ks->ack_write_buf. If in the same execution of tls_multi_process, the initializing session reaches the authenticated stage, the active session will be freed which leaves to_link.data pointing to freed memory. This commit extends check_session_buf_not_used so that it also checks ks->ack_write_buf for all key states. CVE: 2026-12996 Github: OpenVPN/openvpn-private-issues#121 Github: OpenVPN/openvpn-private-issues#127 Reported-By: Hcamael Reported-By: 章鱼哥 (www.aipyaipy.com) Github: OpenVPN/openvpn-private-issues#131 Reported-By: Haiyang Huang Github: OpenVPN/openvpn-private-issues#132 Reported-By: Haruki Oyama (Waseda University) Change-Id: Ia6aee772999d87b45a51bf5855c4f266ad7fb3f4 Signed-off-by: Max Fillinger Acked-By: Arne Schwabe --- diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index eb1137fcb..85546020d 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3203,6 +3203,12 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) goto used; } } + if (ks->ack_write_buf.data == dataptr) + { + msg(M_INFO, "Warning buffer of freed TLS session is still in use (session->key[%d].ack_write_buf)", i); + + goto used; + } } return;