With KTLS, writes to an SSL connection store the application buffer
pointer directly in the 'buf' member instead of allocating a separate
buffer to hold the encrypted data. As a result,
ssl3_release_write_buffer() has to avoid freeing these 'buf' pointers.
Previously, ssl3_release_write_buffer() checked for KTLS being enabled
on the write BIO to determine if a buffer should be freed. However, a
buffer can outlive a BIO. For example, 'openssl s_time' creates new
write BIOs when reusing sessions. Since the new BIO did not have KTLS
enabled at the start of a connection, ssl3_release_write_buffer()
would incorrectly try to free the 'buf' pointer from the previous KTLS
connection. To fix, track the state of 'buf' explicitly in
SSL3_BUFFER to determine if the 'buf' should be freed or simply
cleared.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10489)
*/
SSL3_BUFFER_set_buf(&s->rlayer.wbuf[0], (unsigned char *)buf);
SSL3_BUFFER_set_offset(&s->rlayer.wbuf[0], 0);
+ SSL3_BUFFER_set_app_buffer(&s->rlayer.wbuf[0], 1);
goto wpacket_init_complete;
}
size_t offset;
/* how many bytes left */
size_t left;
+ /* 'buf' is from application for KTLS */
+ int app_buffer;
} SSL3_BUFFER;
#define SEQ_NUM_SIZE 8
#define SSL3_BUFFER_add_offset(b, o) ((b)->offset += (o))
#define SSL3_BUFFER_is_initialised(b) ((b)->buf != NULL)
#define SSL3_BUFFER_set_default_len(b, l) ((b)->default_len = (l))
+#define SSL3_BUFFER_set_app_buffer(b, l) ((b)->app_buffer = (l))
+#define SSL3_BUFFER_is_app_buffer(b) ((b)->app_buffer)
void SSL3_BUFFER_clear(SSL3_BUFFER *b);
void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n);
while (pipes > 0) {
wb = &RECORD_LAYER_get_wbuf(&s->rlayer)[pipes - 1];
- if (s->wbio == NULL || !BIO_get_ktls_send(s->wbio))
+ if (SSL3_BUFFER_is_app_buffer(wb))
+ SSL3_BUFFER_set_app_buffer(wb, 0);
+ else
OPENSSL_free(wb->buf);
wb->buf = NULL;
pipes--;