Fix tls_wrap_reneg use after free

When dynamic tls-crypt is active, it is possible for tls_multi_process
to set to_link to session->tls_wrap_reneg.work and later free that
session, leaving to_link.data pointing to freed memory.

This is not caught by the function check_session_buf_not_used because it
checks only tls_wrap, not tls_wrap_reneg. This commit adds that check.

CVE: 2026-13117
Github: OpenVPN/openvpn-private-issues#119
Github: OpenVPN/openvpn-private-issues#125
Reported-By: Trace37 Labs (https://github.com/trace37labs)
Github: OpenVPN/openvpn-private-issues#131
Reported-By: Haiyang Huang <huanghaiyang83@gmail.com>
Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com>
Acked-By: Arne Schwabe <arne@rfc2549.org>
(cherry picked from commit cd536fffdef1f2bd54b3b848bd257917061637e8)
This commit is contained in:
Max Fillinger 2026-05-22 14:34:57 +02:00 committed by Gert Doering
parent 4357bb3754
commit 7cfd5c09b2

View file

@ -3240,6 +3240,12 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
"still in use (tls_wrap.work.data)");
goto used;
}
if (session->tls_wrap_reneg.work.data == dataptr)
{
msg(M_INFO, "Warning buffer of freed TLS session is "
"still in use (tls_wrap_reneg.work.data)");
goto used;
}
for (int i = 0; i < KS_SIZE; i++)
{