openssl: only free buffers when done (#9309)

tobiasb-ms · web-flow · commit 3eef9c87e1cd · 2024-06-04T15:21:33.000-07:00
diff --git a/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch b/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
@@ -0,0 +1,67 @@
+From f7a045f3143fc6da2ee66bf52d8df04829590dd4 Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 1db1712a0..525c3abf4 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index af56206e0..513ab3988 100644
+--- a/ssl/record/record.h
++++ b/ssl/record/record.h
+@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index c01ad8291..356d65cb6 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -5248,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.33.8
+
diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec
@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        30%{?dist}
+Release:        31%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -61,6 +61,7 @@ Patch37:        CVE-2023-3817.patch
 Patch38:        openssl-1.1.1-improve-safety-of-DH.patch
 Patch39:        openssl-1.1.1-add-null-checks-where-contentinfo-data-can-be-null.patch
 Patch40:        openssl-1.1.1-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch
+Patch41:        openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
 BuildRequires:  perl(FindBin)
@@ -174,6 +175,7 @@ cp %{SOURCE4} test/
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
+%patch41 -p1
 
 %build
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
@@ -363,8 +365,11 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
-* Fri Apr 19 2024 Tobias Brick <tobaisb@microsoft.com> - 1.1.1k-30
-* Fix unconstrained session cache growth in TLSv1.3
+* Tue Jun 04 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-31
+- Only free the read buffers if we're not using them
+
+* Fri Apr 19 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-30
+- Fix unconstrained session cache growth in TLSv1.3
 
 * Wed Feb 14 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-29
 - Introduce patch to correctly address NULL ContentInfo data
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-30.cm2.aarch64.rpm
-openssl-devel-1.1.1k-30.cm2.aarch64.rpm
-openssl-libs-1.1.1k-30.cm2.aarch64.rpm
-openssl-perl-1.1.1k-30.cm2.aarch64.rpm
-openssl-static-1.1.1k-30.cm2.aarch64.rpm
+openssl-1.1.1k-31.cm2.aarch64.rpm
+openssl-devel-1.1.1k-31.cm2.aarch64.rpm
+openssl-libs-1.1.1k-31.cm2.aarch64.rpm
+openssl-perl-1.1.1k-31.cm2.aarch64.rpm
+openssl-static-1.1.1k-31.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-30.cm2.x86_64.rpm
-openssl-devel-1.1.1k-30.cm2.x86_64.rpm
-openssl-libs-1.1.1k-30.cm2.x86_64.rpm
-openssl-perl-1.1.1k-30.cm2.x86_64.rpm
-openssl-static-1.1.1k-30.cm2.x86_64.rpm
+openssl-1.1.1k-31.cm2.x86_64.rpm
+openssl-devel-1.1.1k-31.cm2.x86_64.rpm
+openssl-libs-1.1.1k-31.cm2.x86_64.rpm
+openssl-perl-1.1.1k-31.cm2.x86_64.rpm
+openssl-static-1.1.1k-31.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-4.cm2.aarch64.rpm
-openssl-1.1.1k-30.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-30.cm2.aarch64.rpm
-openssl-devel-1.1.1k-30.cm2.aarch64.rpm
-openssl-libs-1.1.1k-30.cm2.aarch64.rpm
-openssl-perl-1.1.1k-30.cm2.aarch64.rpm
-openssl-static-1.1.1k-30.cm2.aarch64.rpm
+openssl-1.1.1k-31.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-31.cm2.aarch64.rpm
+openssl-devel-1.1.1k-31.cm2.aarch64.rpm
+openssl-libs-1.1.1k-31.cm2.aarch64.rpm
+openssl-perl-1.1.1k-31.cm2.aarch64.rpm
+openssl-static-1.1.1k-31.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-4.cm2.x86_64.rpm
-openssl-1.1.1k-30.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-30.cm2.x86_64.rpm
-openssl-devel-1.1.1k-30.cm2.x86_64.rpm
-openssl-libs-1.1.1k-30.cm2.x86_64.rpm
-openssl-perl-1.1.1k-30.cm2.x86_64.rpm
-openssl-static-1.1.1k-30.cm2.x86_64.rpm
+openssl-1.1.1k-31.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-31.cm2.x86_64.rpm
+openssl-devel-1.1.1k-31.cm2.x86_64.rpm
+openssl-libs-1.1.1k-31.cm2.x86_64.rpm
+openssl-perl-1.1.1k-31.cm2.x86_64.rpm
+openssl-static-1.1.1k-31.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm
