[openssl/openssl] e59ed0: zero data in hm_fragment on alloc

Matt Caswell noreply at github.com
Tue Nov 21 12:13:07 UTC 2023 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: e59ed0bfeece9db433809af2cebbe271a402d59b
      https://github.com/openssl/openssl/commit/e59ed0bfeece9db433809af2cebbe271a402d59b
  Author: Neil Horman <nhorman at openssl.org>
  Date:   2023-11-21 (Tue, 21 Nov 2023)

  Changed paths:
    M ssl/statem/statem_dtls.c

  Log Message:
  -----------
  zero data in hm_fragment on alloc

if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field.  If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22679)


  Commit: a091bc6022b23c0b1caf1c7acbb1f15bdf290816
      https://github.com/openssl/openssl/commit/a091bc6022b23c0b1caf1c7acbb1f15bdf290816
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-11-21 (Tue, 21 Nov 2023)

  Changed paths:
    M ssl/d1_lib.c
    M ssl/statem/statem_dtls.c

  Log Message:
  -----------
  Move freeing of an old record layer to dtls1_clear_sent_buffer

When we are clearing the sent messages queue we should ensure we free any
old write record layers that are no longer in use. Previously this logic
was in dtls1_hm_fragment_free() - but this can end up freeing the current
record layer under certain error conditions.

Fixes #22664

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22679)


Compare: https://github.com/openssl/openssl/compare/5091aadc2233...a091bc6022b2

More information about the openssl-commits mailing list