[openssl/openssl] 1ea038: zero data in hm_fragment on alloc
Matt Caswell
noreply at github.com
Tue Nov 21 12:13:13 UTC 2023
Branch: refs/heads/openssl-3.2
Home: https://github.com/openssl/openssl
Commit: 1ea038bfa2726ad1bfbc220c8955c0fead9393d5
https://github.com/openssl/openssl/commit/1ea038bfa2726ad1bfbc220c8955c0fead9393d5
Author: Neil Horman <nhorman at openssl.org>
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M ssl/statem/statem_dtls.c
Log Message:
-----------
zero data in hm_fragment on alloc
if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field. If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22679)
(cherry picked from commit e59ed0bfeece9db433809af2cebbe271a402d59b)
Commit: 2bb83945bb99c98b1a67c5ba6307ad8b0dde5370
https://github.com/openssl/openssl/commit/2bb83945bb99c98b1a67c5ba6307ad8b0dde5370
Author: Matt Caswell <matt at openssl.org>
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M ssl/d1_lib.c
M ssl/statem/statem_dtls.c
Log Message:
-----------
Move freeing of an old record layer to dtls1_clear_sent_buffer
When we are clearing the sent messages queue we should ensure we free any
old write record layers that are no longer in use. Previously this logic
was in dtls1_hm_fragment_free() - but this can end up freeing the current
record layer under certain error conditions.
Fixes #22664
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22679)
(cherry picked from commit a091bc6022b23c0b1caf1c7acbb1f15bdf290816)
Compare: https://github.com/openssl/openssl/compare/3b866985ba8a...2bb83945bb99
More information about the openssl-commits
mailing list