From 7cfd5c09b2fb802ec4043bef04fbe8dc7978ed72 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 22 May 2026 14:34:57 +0200 Subject: [PATCH] Fix tls_wrap_reneg use after free When dynamic tls-crypt is active, it is possible for tls_multi_process to set to_link to session->tls_wrap_reneg.work and later free that session, leaving to_link.data pointing to freed memory. This is not caught by the function check_session_buf_not_used because it checks only tls_wrap, not tls_wrap_reneg. This commit adds that check. CVE: 2026-13117 Github: OpenVPN/openvpn-private-issues#119 Github: OpenVPN/openvpn-private-issues#125 Reported-By: Trace37 Labs (https://github.com/trace37labs) Github: OpenVPN/openvpn-private-issues#131 Reported-By: Haiyang Huang Signed-off-by: Max Fillinger Acked-By: Arne Schwabe (cherry picked from commit cd536fffdef1f2bd54b3b848bd257917061637e8) --- src/openvpn/ssl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 0a6be2dd..342957ea 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3240,6 +3240,12 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) "still in use (tls_wrap.work.data)"); goto used; } + if (session->tls_wrap_reneg.work.data == dataptr) + { + msg(M_INFO, "Warning buffer of freed TLS session is " + "still in use (tls_wrap_reneg.work.data)"); + goto used; + } for (int i = 0; i < KS_SIZE; i++) {