@@ -3155,6 +3155,53 @@ tls_process(struct tls_multi *multi,
return false;
}
+
+/**
+ * This is a safe guard function to double check that a buffer from a session is
+ * not used in a session to avoid a use after free.
+ *
+ * @param to_link
+ * @param session
+ */
+static void
+check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
+{
+ uint8_t *dataptr = to_link->data;
+ if (!dataptr)
+ {
+ return;
+ }
+
+ /* Checks buffers in tls_wrap */
+ if (session->tls_wrap.work.data == dataptr)
+ {
+ msg(M_INFO, "Warning buffer of freed TLS session is "
+ "still in use (tls_wrap.work.data)");
+ goto used;
+ }
+
+ for (int i = 0; i < KS_SIZE; i++)
+ {
+ struct key_state *ks = &session->key[i];
+ for (int j = 0; j < ks->send_reliable->size; j++)
+ {
+ if (ks->send_reliable->array[i].buf.data == dataptr)
+ {
+ msg(M_INFO, "Warning buffer of freed TLS session is still in"
+ " use (session->key[%d].send_reliable->array[%d])",
+ i, j);
+
+ goto used;
+ }
+ }
+ }
+ return;
+
+used:
+ to_link->len = 0;
+ to_link->data = 0;
+ /* for debugging, you can add an ASSERT(0); here to trigger an abort */
+}
/*
* Called by the top-level event loop.
*
@@ -3253,6 +3300,7 @@ tls_multi_process(struct tls_multi *multi,
}
else
{
+ check_session_buf_not_used(to_link, session);
reset_session(multi, session);
}
}