Skip to content

Commit 2ba4d7e

Browse files
Merge pull request #10210 from ColtonWilley/fix-scr-dangling-ptr-after-tlsx-freeall
Fix dangling secure_renegotiation pointer after TLSX_FreeAll
2 parents 118c0cc + 389d15f commit 2ba4d7e

3 files changed

Lines changed: 47 additions & 0 deletions

File tree

src/internal.c

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8976,6 +8976,11 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
89768976
#ifdef HAVE_TLS_EXTENSIONS
89778977
#if !defined(NO_TLS)
89788978
TLSX_FreeAll(ssl->extensions, ssl->heap);
8979+
ssl->extensions = NULL;
8980+
#if defined(HAVE_SECURE_RENEGOTIATION) \
8981+
|| defined(HAVE_SERVER_RENEGOTIATION_INFO)
8982+
ssl->secure_renegotiation = NULL;
8983+
#endif
89798984
#endif /* !NO_TLS */
89808985
#ifdef HAVE_ALPN
89818986
if (ssl->alpn_peer_requested != NULL) {
@@ -9339,6 +9344,10 @@ void FreeHandshakeResources(WOLFSSL* ssl)
93399344
/* Some extensions need to be kept for post-handshake querying. */
93409345
TLSX_FreeAll(ssl->extensions, ssl->heap);
93419346
ssl->extensions = NULL;
9347+
#if defined(HAVE_SECURE_RENEGOTIATION) \
9348+
|| defined(HAVE_SERVER_RENEGOTIATION_INFO)
9349+
ssl->secure_renegotiation = NULL;
9350+
#endif
93429351
#else
93439352
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
93449353
TLSX_Remove(&ssl->extensions, TLSX_SIGNATURE_ALGORITHMS, ssl->heap);

src/ssl.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10072,6 +10072,10 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
1007210072
#if defined(HAVE_TLS_EXTENSIONS) && !defined(NO_TLS)
1007310073
TLSX_FreeAll(ssl->extensions, ssl->heap);
1007410074
ssl->extensions = NULL;
10075+
#if defined(HAVE_SECURE_RENEGOTIATION) \
10076+
|| defined(HAVE_SERVER_RENEGOTIATION_INFO)
10077+
ssl->secure_renegotiation = NULL;
10078+
#endif
1007510079
#endif
1007610080

1007710081
if (ssl->keys.encryptionOn) {

tests/api.c

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10277,6 +10277,39 @@ static int test_wolfSSL_wolfSSL_UseSecureRenegotiation(void)
1027710277
return EXPECT_RESULT();
1027810278
}
1027910279

10280+
/* TLSX_FreeAll frees the SecureRenegotiation struct but the cached pointer
10281+
* ssl->secure_renegotiation was not cleared, causing a use-after-free when
10282+
* queried after wolfSSL_clear(). */
10283+
static int test_wolfSSL_clear_secure_renegotiation(void)
10284+
{
10285+
EXPECT_DECLS;
10286+
#if (defined(HAVE_SECURE_RENEGOTIATION) || \
10287+
defined(HAVE_SERVER_RENEGOTIATION_INFO)) && \
10288+
(defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \
10289+
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
10290+
WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
10291+
WOLFSSL *ssl = wolfSSL_new(ctx);
10292+
long support;
10293+
10294+
ExpectNotNull(ctx);
10295+
ExpectNotNull(ssl);
10296+
10297+
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(ssl));
10298+
ExpectNotNull(ssl->secure_renegotiation);
10299+
if (ssl->secure_renegotiation != NULL)
10300+
ssl->secure_renegotiation->enabled = 1;
10301+
10302+
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_clear(ssl));
10303+
support = wolfSSL_SSL_get_secure_renegotiation_support(ssl);
10304+
ExpectNull(ssl->secure_renegotiation);
10305+
ExpectIntEQ(WOLFSSL_FAILURE, support);
10306+
10307+
wolfSSL_free(ssl);
10308+
wolfSSL_CTX_free(ctx);
10309+
#endif
10310+
return EXPECT_RESULT();
10311+
}
10312+
1028010313
/* Test reconnecting with a different ciphersuite after a renegotiation. */
1028110314
static int test_wolfSSL_SCR_Reconnect(void)
1028210315
{
@@ -36627,6 +36660,7 @@ TEST_CASE testCases[] = {
3662736660
TEST_DECL(test_TLSX_TCA_Find),
3662836661
TEST_DECL(test_TLSX_SNI_GetSize_overflow),
3662936662
TEST_DECL(test_wolfSSL_wolfSSL_UseSecureRenegotiation),
36663+
TEST_DECL(test_wolfSSL_clear_secure_renegotiation),
3663036664
TEST_DECL(test_wolfSSL_SCR_Reconnect),
3663136665
TEST_DECL(test_wolfSSL_SCR_check_enabled),
3663236666
TEST_DECL(test_tls_ext_duplicate),

0 commit comments

Comments
 (0)