QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-29 11:14:36 +00:00
Code Issues Projects Releases Wiki Activity
openssl/ssl
History
Marcus Huewe c0a58e034d Do not free a session before calling the remove_session_cb 
If the remove_session_cb accesses the session's data (for instance,
via SSL_SESSION_get_protocol_version), a potential use after free
can occur. For this, consider the following scenario when adding
a new session via SSL_CTX_add_session:

- The session cache is full
  (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx))
- Only the session cache has a reference to ctx->session_cache_tail
  (that is, ctx->session_cache_tail->references == 1)

Since the cache is full, remove_session_lock is called to remove
ctx->session_cache_tail from the cache. That is, it
SSL_SESSION_free()s the session, which free()s the data. Afterwards,
the free()d session is passed to the remove_session_cb. If the callback
accesses the session's data, we have a use after free.

The free before calling the callback behavior was introduced in
commit e4612d02c53cccd24fa97b08fc01250d1238cca1 ("Remove sessions
from external cache, even if internal cache not used.").

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6222)
2018-06-07 13:08:07 +01:00
..
record
Mark DTLS records as read when we have finished with them
2018-05-11 14:20:56 +01:00
statem
Reformulate the if condition in tls_process_new_session_ticket
2018-06-07 10:58:35 +01:00
bio_ssl.c
Add comments to NULL func ptrs in bio_method_st
2017-12-18 07:04:48 +10:00
build.info
Move ssl/t1_ext.c to ssl/statem/extensions_cust.c
2017-04-07 13:41:04 +01:00
d1_lib.c
More record layer conversions to use SSLfatal()
2017-12-08 16:42:02 +00:00
d1_msg.c
Remove parentheses of return.
2017-10-18 16:05:06 +01:00
d1_srtp.c
Move client parsing of ServerHello extensions into new framework
2016-12-08 17:18:25 +00:00
methods.c
Drop support for OPENSSL_NO_TLS1_3_METHOD
2017-06-30 09:41:46 +01:00
packet_locl.h
TLS1.3 Padding
2017-05-02 09:44:43 +01:00
packet.c
Update copyright year
2018-04-17 15:18:40 +02:00
pqueue.c
Use void in all function definitions that do not take any arguments
2018-05-11 14:37:48 +02:00
s3_cbc.c
Move ossl_assert
2017-08-03 10:48:00 +01:00
s3_enc.c
Update copyright year
2018-03-20 13:08:46 +00:00
s3_lib.c
Fix no-psk
2018-05-14 17:43:19 +01:00
s3_msg.c
Update copyright year
2018-02-13 13:59:25 +00:00
ssl_asn1.c
Don't store the ticket nonce in the session
2018-06-07 10:58:35 +01:00
ssl_cert_table.h
Update copyright year
2018-03-20 13:08:46 +00:00
ssl_cert.c
Allow NULL for some _free routines.
2018-03-27 16:25:08 -04:00
ssl_ciph.c
Fix configuration of TLSv1.3 ciphersuites
2018-04-04 16:17:26 +01:00
ssl_conf.c
Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF
2018-05-17 16:48:25 +01:00
ssl_err.c
Fix last(?) batch of malloc-NULL places
2018-04-26 14:02:24 -04:00
ssl_init.c
Add a config option to disable automatic config loading
2018-04-17 16:33:15 +02:00
ssl_lib.c
Enable SSL_MODE_AUTO_RETRY by default
2018-05-22 22:45:28 +02:00
ssl_locl.h
Don't store the ticket nonce in the session
2018-06-07 10:58:35 +01:00
ssl_mcnf.c
Move the loading of the ssl_conf module to libcrypto
2018-04-05 15:30:12 +01:00
ssl_rsa.c
Update copyright year
2018-03-20 13:08:46 +00:00
ssl_sess.c
Do not free a session before calling the remove_session_cb
2018-06-07 13:08:07 +01:00
ssl_stat.c
Merge HRR into ServerHello
2017-12-14 15:06:37 +00:00
ssl_txt.c
Update copyright year
2018-05-29 13:16:04 +01:00
ssl_utst.c
Remove heartbeat support
2016-11-13 16:24:02 -05:00
t1_enc.c
GOST MAC algorithms don't support EVP_PKEY_new_raw_private_key()
2018-03-30 19:28:33 +01:00
t1_lib.c
Fix EAP-FAST
2018-06-07 09:48:49 +01:00
t1_trce.c
Suport TLSv1.3 draft 28
2018-05-15 10:02:59 +01:00
tls13_enc.c
Fix TLSv1.3 ticket nonces
2018-06-07 10:58:35 +01:00
tls_srp.c
Use the private RNG for data that is not public
2018-04-02 22:22:43 +02:00