BUG/MEDIUM: quic: Possible crashes during secrets allocations (heavy load)

This bug could be reproduced with -dMfail option and detected by libasan.
During the TLS secrets allocations, when failed, quic_tls_ctx_secs_free()
is called. It resets the already initialized secrets. Some were detected
as initialized when not, or with a non initialized length, which leads
to big "memset(0)" detected by libsasan.

Ensure that all the secrets are really initialized with correct lengths.

No need to be backported.
This commit is contained in:
Frédéric Lécaille 2023-11-08 15:59:00 +01:00
parent 819690303d
commit 0016dbaef4

View File

@ -685,8 +685,11 @@ static inline void quic_tls_ctx_reset(struct quic_tls_ctx *ctx)
ctx->rx.hp_ctx = NULL; ctx->rx.hp_ctx = NULL;
ctx->rx.hp = NULL; ctx->rx.hp = NULL;
ctx->rx.secret = NULL; ctx->rx.secret = NULL;
ctx->rx.secretlen = 0;
ctx->rx.iv = NULL; ctx->rx.iv = NULL;
ctx->rx.ivlen = 0;
ctx->rx.key = NULL; ctx->rx.key = NULL;
ctx->rx.keylen = 0;
ctx->rx.pn = 0; ctx->rx.pn = 0;
ctx->tx.ctx = NULL; ctx->tx.ctx = NULL;
@ -695,8 +698,11 @@ static inline void quic_tls_ctx_reset(struct quic_tls_ctx *ctx)
ctx->tx.hp_ctx = NULL; ctx->tx.hp_ctx = NULL;
ctx->tx.hp = NULL; ctx->tx.hp = NULL;
ctx->tx.secret = NULL; ctx->tx.secret = NULL;
ctx->tx.secretlen = 0;
ctx->tx.iv = NULL; ctx->tx.iv = NULL;
ctx->tx.ivlen = 0;
ctx->tx.key = NULL; ctx->tx.key = NULL;
ctx->tx.keylen = 0;
/* Not used on the TX path. */ /* Not used on the TX path. */
ctx->tx.pn = 0; ctx->tx.pn = 0;
@ -835,6 +841,20 @@ static inline int quic_initial_tls_ctx_init(struct quic_tls_ctx *ctx)
ctx->rx.md = ctx->tx.md = EVP_sha256(); ctx->rx.md = ctx->tx.md = EVP_sha256();
ctx->rx.hp = ctx->tx.hp = EVP_aes_128_ctr(); ctx->rx.hp = ctx->tx.hp = EVP_aes_128_ctr();
ctx->rx.iv = NULL;
ctx->rx.ivlen = 0;
ctx->rx.key = NULL;
ctx->rx.keylen = 0;
ctx->rx.secret = NULL;
ctx->rx.secretlen = 0;
ctx->tx.iv = NULL;
ctx->tx.ivlen = 0;
ctx->tx.key = NULL;
ctx->tx.keylen = 0;
ctx->tx.secret = NULL;
ctx->tx.secretlen = 0;
return quic_tls_ctx_keys_alloc(ctx); return quic_tls_ctx_keys_alloc(ctx);
} }