Skip to content

Commit

Permalink
Move freeing of an old enc_write_ctx/write_hash to dtls1_clear_sent_b…
Browse files Browse the repository at this point in the history 
…uffer

When we are clearing the sent messages queue we should ensure we free any
old enc_write_ctx/write_hash that are no longer in use. Previously this
logic was in dtls1_hm_fragment_free() - but this can end up freeing the
current enc_write_ctx/write_hash under certain error conditions.

Fixes openssl#22664
  • Loading branch information
@mattcaswell
mattcaswell committed Nov 9, 2023
1 parent c084e1d commit ad98ea7
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 5 deletions.
17 changes: 17 additions & 0 deletions ssl/d1_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,23 @@ void dtls1_clear_sent_buffer(SSL *s)

while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
frag = (hm_fragment *)item->data;

if (frag->msg_header.is_ccs) {
/*
* If we're freeing the CCS then we're done with the old
* enc_write_ctx/write_hash and they can be freed
*/
if (s->enc_write_ctx
!= frag->msg_header.saved_retransmit_state.enc_write_ctx)
EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state
.enc_write_ctx);

if (s->write_hash
!= frag->msg_header.saved_retransmit_state.write_hash)
EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state
.write_hash);
}

dtls1_hm_fragment_free(frag);
pitem_free(item);
}
Expand Down
6 changes: 1 addition & 5 deletions ssl/statem/statem_dtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,11 +95,7 @@ void dtls1_hm_fragment_free(hm_fragment *frag)
{
if (!frag)
return;
if (frag->msg_header.is_ccs) {
EVP_CIPHER_CTX_free(frag->msg_header.
saved_retransmit_state.enc_write_ctx);
EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash);
}

OPENSSL_free(frag->fragment);
OPENSSL_free(frag->reassembly);
OPENSSL_free(frag);
Expand Down

0 comments on commit ad98ea7

Please sign in to comment.