From 222e5a260bea5de940db2fd6cf19da2176ac8934 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 31 Jan 2023 14:12:28 +0100 Subject: [PATCH] BUG/MEDIUM: ssl: wrong eviction from the session cache tree When using WolfSSL, there are some cases were the SSL_CTX_sess_new_cb is called with an existing session ID. These cases are not met with OpenSSL. When the ID is found in the session tree during the insertion, the shared_block len is not set to 0 and is not used. However if later the block is reused, since the len is not set to 0, the release callback will be called an ebmb_delete will be tried on the block, even if it's not in the tree, provoking a crash. The code was buggy from the beginning, but the case never happen with openssl which changes the ID. Must be backported in every maintained branches. --- src/ssl_sock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 0fea7dd09..51d2d7046 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4211,6 +4211,7 @@ static int sh_ssl_sess_store(unsigned char *s_id, unsigned char *data, int data_ if (oldsh_ssl_sess != sh_ssl_sess) { /* NOTE: Row couldn't be in use because we lock read & write function */ /* release the reserved row */ + first->len = 0; /* the len must be liberated in order not to call the release callback on it */ shctx_row_dec_hot(ssl_shctx, first); /* replace the previous session already in the tree */ sh_ssl_sess = oldsh_ssl_sess;