Message ID | 20231108124947.76816-3-gert@greenie.muc.de |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,1/3] Remove saving initial frame code | expand |
Third in the series. This is the actual bug fix for the use-after-free leak - looks trivial enough... as Arne says, this part of the code is too full of magic and easy to break. Your patch has been applied to the release/2.6 and master branch. commit 57a5cd1e12f193927c9b7429f8778fec7e04c50a (release/2.6) commit a0afe035cbca26f8c74b670a8c2a20b3d9c2294b (master) Author: Arne Schwabe Date: Fri Oct 27 14:19:37 2023 +0200 Fix using to_link buffer after freed Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net> Message-Id: <20231108124947.76816-3-gert@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e15f951d6..cee4afe19 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2903,7 +2903,13 @@ tls_process_state(struct tls_multi *multi, CONTROL_SEND_ACK_MAX, true); *to_link = b; dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); - return true; + + /* This changed the state of the outgoing buffer. In order to avoid + * running this function again/further and invalidating the key_state + * buffer and accessing the buffer that is now in to_link after it being + * freed for a potential error, we shortcircuit exiting of the outer + * process here. */ + return false; } /* Write incoming ciphertext to TLS object */