-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CVE-2024-4741 for branch 8.3 #632
Fix CVE-2024-4741 for branch 8.3 #632
Commits on Jun 26, 2024
-
Only free the read buffers if we're not using them
If we're part way through processing a record, or the application has not released all the records then we should not free our buffer because they are still needed. CVE-2024-4741
Configuration menu - View commit details
-
Copy full SHA for 6fe124d - Browse repository at this point
Copy the full SHA 6fe124dView commit details -
Set rlayer.packet to NULL after we've finished using it
In order to ensure we do not have a UAF we reset the rlayer.packet pointer to NULL after we free it. CVE-2024-4741
Configuration menu - View commit details
-
Copy full SHA for 201bd70 - Browse repository at this point
Copy the full SHA 201bd70View commit details -
Extend the SSL_free_buffers testing
Test that attempting to free the buffers at points where they should not be freed works as expected. Follow on from CVE-2024-4741
Configuration menu - View commit details
-
Copy full SHA for d77c2e1 - Browse repository at this point
Copy the full SHA d77c2e1View commit details -
Move the ability to load the dasync engine into ssltestlib.c
The sslapitest has a helper function to load the dasync engine which is useful for testing pipelining. We would like to have the same facility from sslbuffertest, so we move the function to the common location ssltestlib.c Follow on from CVE-2024-4741
Configuration menu - View commit details
-
Copy full SHA for 5619493 - Browse repository at this point
Copy the full SHA 5619493View commit details
Commits on Jun 27, 2024
-
Further extend the SSL_free_buffers testing
We extend the testing to test what happens when pipelining is in use. Follow on from CVE-2024-4741
Configuration menu - View commit details
-
Copy full SHA for 608b6a8 - Browse repository at this point
Copy the full SHA 608b6a8View commit details -
Configuration menu - View commit details
-
Copy full SHA for be6fb51 - Browse repository at this point
Copy the full SHA be6fb51View commit details
Commits on Jun 28, 2024
-
TLS pipelining provides the ability for libssl to read or write multiple records in parallel. It requires special ciphers to do this, and there are currently no built-in ciphers that provide this capability. However, the dasync engine does have such a cipher, so we add a test for this capability using that engine.
Configuration menu - View commit details
-
Copy full SHA for 68b7fdf - Browse repository at this point
Copy the full SHA 68b7fdfView commit details -
Pipeline output/input buf arrays must live until the EVP_Cipher is ca…
…lled The pipeline input/output buf arrays must remain accessible to the EVP_CIPHER_CTX until EVP_Cipher is subsequently called. This fixes an asan error discovered by the newly added pipeline test.
Configuration menu - View commit details
-
Copy full SHA for ca9b71a - Browse repository at this point
Copy the full SHA ca9b71aView commit details -
During read pipelining we must ensure that the buffer is sufficiently large to read enough data to fill our pipelines. We also remove some code that moved data to the start of the packet if we can. This was unnecessary because of later code which would end up moving it anyway. The earlier move was also incorrect in the case that |clearold| was 0. This would cause the read pipelining code to fail with sufficiently large records.
Configuration menu - View commit details
-
Copy full SHA for d62c99d - Browse repository at this point
Copy the full SHA d62c99dView commit details -
Do not have more data in a pipeline than the split_send_fragment
We shouldn't be putting more data into a pipeline than the value of split_send_fragment.
Configuration menu - View commit details
-
Copy full SHA for f1ac1ca - Browse repository at this point
Copy the full SHA f1ac1caView commit details -
Configuration menu - View commit details
-
Copy full SHA for 905e7a3 - Browse repository at this point
Copy the full SHA 905e7a3View commit details