From c084e1d9a766ee1e5ca48bc996a38e87c3134cad Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Thu, 9 Nov 2023 08:13:58 -0500 Subject: [PATCH] zero data in hm_fragment on alloc if we allocate a new hm_frament in dtls1_buffer_message with dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the msg_header field. If an error then occurs, and we free the fragment, dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and potentially references undefined values, or worse, accidentally references available memory that is not owned, leading to various corruptions. --- ssl/statem/statem_dtls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 788d0eff656ba..2e98df6235db9 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -59,7 +59,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) unsigned char *buf = NULL; unsigned char *bitmask = NULL; - if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) { + if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return NULL; }