Skip to content

Commit

Permalink
zero data in hm_fragment on alloc
Browse files Browse the repository at this point in the history 
if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field.  If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.
  • Loading branch information
@nhorman @mattcaswell
nhorman authored and mattcaswell committed Nov 9, 2023
1 parent 04d4f30 commit c084e1d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion ssl/statem/statem_dtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly)
unsigned char *buf = NULL;
unsigned char *bitmask = NULL;

if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) {
if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return NULL;
}
Expand Down

0 comments on commit c084e1d

Please sign in to comment.