forked from pool/openssl-3
Pedro Monreal Gonzalez
4bad59c768
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] OBS-URL: https://build.opensuse.org/request/show/1189030 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=107
29 lines
908 B
Diff
29 lines
908 B
Diff
@@ -, +, @@
|
|
---
|
|
ssl/record/methods/tls_common.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
--- openssl-3.0.8/ssl/record/ssl3_buffer.c
|
|
+++ openssl-3.0.8/ssl/record/ssl3_buffer.c
|
|
@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
|
|
OPENSSL_cleanse(b->buf, b->len);
|
|
OPENSSL_free(b->buf);
|
|
b->buf = NULL;
|
|
+ s->rlayer.packet = NULL;
|
|
+ s->rlayer.packet_length = 0;
|
|
return 1;
|
|
}
|
|
--- openssl-3.0.8/ssl/record/rec_layer_s3.c
|
|
+++ openssl-3.0.8/ssl/record/rec_layer_s3.c
|
|
@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
|
|
s->rlayer.packet_length = 0;
|
|
/* ... now we can act as if 'extend' was set */
|
|
}
|
|
+ if (!ossl_assert(s->rlayer.packet != NULL)) {
|
|
+ /* does not happen */
|
|
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
|
+ return -1;
|
|
+ }
|
|
|
|
len = s->rlayer.packet_length;
|
|
pkt = rb->buf + align;
|