Only free the read buffers if we're not using them

If we're part way through processing a record, or the application has not released all the records then we should not free our buffer because they are still needed. CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24395) (cherry picked from commit 38690ca)
openssl · May 28, 2024 · e509313 · e509313
1 parent f84622c
commit e509313
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
@@ -2124,7 +2124,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl)
     /* Read direction */
 
     /* If we have pending data to be read then fail */
-    if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
+    if (rl->curr_rec < rl->num_recs
+            || rl->curr_rec != rl->num_released
+            || TLS_BUFFER_get_left(&rl->rbuf) != 0
+            || rl->rstate == SSL_ST_READ_BODY)
         return 0;
 
     return tls_release_read_buffer(rl);