提交 c0a58e03 编写于 作者: M Marcus Huewe 提交者: Matt Caswell

Do not free a session before calling the remove_session_cb

If the remove_session_cb accesses the session's data (for instance,
via SSL_SESSION_get_protocol_version), a potential use after free
can occur. For this, consider the following scenario when adding
a new session via SSL_CTX_add_session:

- The session cache is full
  (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx))
- Only the session cache has a reference to ctx->session_cache_tail
  (that is, ctx->session_cache_tail->references == 1)

Since the cache is full, remove_session_lock is called to remove
ctx->session_cache_tail from the cache. That is, it
SSL_SESSION_free()s the session, which free()s the data. Afterwards,
the free()d session is passed to the remove_session_cb. If the callback
accesses the session's data, we have a use after free.

The free before calling the callback behavior was introduced in
commit e4612d02 ("Remove sessions
from external cache, even if internal cache not used.").

CLA: trivial
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6222)
上级 0189bf2b
......@@ -769,11 +769,11 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
if (lck)
CRYPTO_THREAD_unlock(ctx->lock);
if (ret)
SSL_SESSION_free(r);
if (ctx->remove_session_cb != NULL)
ctx->remove_session_cb(ctx, c);
if (ret)
SSL_SESSION_free(r);
} else
ret = 0;
return ret;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册