mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-07-15 20:03:58 -04:00
Fix tls_wrap_reneg use after free
When dynamic tls-crypt is active, it is possible for tls_multi_process to set to_link to session->tls_wrap_reneg.work and later free that session, leaving to_link.data pointing to freed memory. This is not caught by the function check_session_buf_not_used because it checks only tls_wrap, not tls_wrap_reneg. This commit adds that check. CVE: 2026-13117 Github: OpenVPN/openvpn-private-issues#119 Github: OpenVPN/openvpn-private-issues#125 Reported-By: Trace37 Labs (https://github.com/trace37labs) Github: OpenVPN/openvpn-private-issues#131 Reported-By: Haiyang Huang <huanghaiyang83@gmail.com> Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-By: Arne Schwabe <arne@rfc2549.org> (cherry picked from commit cd536fffdef1f2bd54b3b848bd257917061637e8)
This commit is contained in:
parent
4357bb3754
commit
7cfd5c09b2
1 changed files with 6 additions and 0 deletions
|
|
@ -3240,6 +3240,12 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
|
|||
"still in use (tls_wrap.work.data)");
|
||||
goto used;
|
||||
}
|
||||
if (session->tls_wrap_reneg.work.data == dataptr)
|
||||
{
|
||||
msg(M_INFO, "Warning buffer of freed TLS session is "
|
||||
"still in use (tls_wrap_reneg.work.data)");
|
||||
goto used;
|
||||
}
|
||||
|
||||
for (int i = 0; i < KS_SIZE; i++)
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue