root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

zero data in hm_fragment on alloc 

if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field.  If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22679)

(cherry picked from commit e59ed0bfee)
This commit is contained in:
Neil Horman 2023-11-09 08:13:58 -05:00 committed by Richard Levitte
parent 3b866985ba
commit 1ea038bfa2
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/statem/statem_dtls.c
View File

@ -62,7 +62,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly)
unsigned char *buf = NULL; unsigned char *buf = NULL;
unsigned char *bitmask = NULL; unsigned char *bitmask = NULL;
if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL)
return NULL; return NULL;
if (frag_len) { if (frag_len) {