[openssl/openssl] 29406e: zero data in hm_fragment on alloc

Matt Caswell noreply at github.com
Fri Nov 24 11:05:09 UTC 2023 

  Branch: refs/heads/openssl-3.0
  Home:   https://github.com/openssl/openssl
  Commit: 29406e10311380d9d1fb3105b33039685ff6f507
      https://github.com/openssl/openssl/commit/29406e10311380d9d1fb3105b33039685ff6f507
  Author: Neil Horman <nhorman at openssl.org>
  Date:   2023-11-24 (Fri, 24 Nov 2023)

  Changed paths:
    M ssl/statem/statem_dtls.c

  Log Message:
  -----------
  zero data in hm_fragment on alloc

if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field.  If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)

(cherry picked from commit 02a2c3bc1336d2af1601fbc5d959c6babc1bce12)


  Commit: 49ba775e49e1ac37f95e77da21612d7695b2e806
      https://github.com/openssl/openssl/commit/49ba775e49e1ac37f95e77da21612d7695b2e806
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-11-24 (Fri, 24 Nov 2023)

  Changed paths:
    M ssl/d1_lib.c
    M ssl/ssl_lib.c
    M ssl/statem/statem_dtls.c

  Log Message:
  -----------
  Move freeing of an old enc_write_ctx/write_hash to dtls1_clear_sent_buffer

When we are clearing the sent messages queue we should ensure we free any
old enc_write_ctx/write_hash that are no longer in use. Previously this
logic was in dtls1_hm_fragment_free() - but this can end up freeing the
current enc_write_ctx/write_hash under certain error conditions.

Fixes #22664

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)

(cherry picked from commit 5e361b00c41a443c0c5954f7dd6f475d645b7f84)


Compare: https://github.com/openssl/openssl/compare/48fe8d4e53d5...49ba775e49e1

More information about the openssl-commits mailing list