projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4b52159)
zero data in hm_fragment on alloc
authorNeil Horman <nhorman@openssl.org>
Thu, 9 Nov 2023 13:13:58 +0000 (08:13 -0500)
committerMatt Caswell <matt@openssl.org>
Fri, 24 Nov 2023 10:48:59 +0000 (10:48 +0000)
if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field.  If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)

ssl/statem/statem_dtls.c patch | blob | history

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 788d0eff656ba3f25b921b287464f6e5122d51c8..2e98df6235db9065bef2f87a322c4f0a63791a2d 100644 (file)
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -59,7 +59,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly)
     unsigned char *buf = NULL;
     unsigned char *bitmask = NULL;
 
-    if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) {
+    if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL) {
         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
Unnamed repository; edit this file 'description' to name the repository.