blob: 78aea45553ceb5d48c5e8d9facd76709bf16740a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
From c88c3de51020c37e8706bf7a682a162593053aac Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 23 Apr 2024 16:34:46 +0100
Subject: [PATCH] Only free the read buffers if we're not using them
If we're part way through processing a record, or the application has
not released all the records then we should not free our buffer because
they are still needed.
CVE-2024-4741
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)
(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa)
---
ssl/record/methods/tls_common.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 08e519ac7a385..f46da0fd5b33f 100644
--- ssl/record/methods/tls_common.c.orig
+++ ssl/record/methods/tls_common.c
@@ -2129,7 +2129,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl)
/* Read direction */
/* If we have pending data to be read then fail */
- if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
+ if (rl->curr_rec < rl->num_recs
+ || rl->curr_rec != rl->num_released
+ || TLS_BUFFER_get_left(&rl->rbuf) != 0
+ || rl->rstate == SSL_ST_READ_BODY)
return 0;
return tls_release_read_buffer(rl);
|