From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 24 Apr 2024 11:26:56 +0100
Subject: [PATCH] Only free the read buffers if we're not using them

If we're part way through processing a record, or the application has
not released all the records then we should not free our buffer because
they are still needed.

CVE-2024-4741

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24395)

(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177)
---
 ssl/record/rec_layer_s3.c | 9 +++++++++
 ssl/record/record.h       | 1 +
 ssl/ssl_lib.c             | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 4bcffcc41e364..1569997bea2d3 100644
--- ssl/record/rec_layer_s3.c.orig
+++ ssl/record/rec_layer_s3.c
@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
 }
 
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
+{
+    if (rl->rstate == SSL_ST_READ_BODY)
+        return 1;
+    if (RECORD_LAYER_processed_read_pending(rl))
+        return 1;
+    return 0;
+}
+
 /* Checks if we have decrypted unread record data pending */
 int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
 {
diff --git a/ssl/record/record.h b/ssl/record/record.h
index 234656bf93942..b60f71c8cb23b 100644
--- ssl/record/record.h.orig
+++ ssl/record/record.h
@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
 int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
 int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
 int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
 int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index eed649c6fdee9..d14c55ae557bc 100644
--- ssl/ssl_lib.c.orig
+++ ssl/ssl_lib.c
@@ -5492,6 +5492,9 @@ int SSL_free_buffers(SSL *ssl)
     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
         return 0;
 
+    if (RECORD_LAYER_data_present(rl))
+        return 0;
+
     RECORD_LAYER_release(rl);
     return 1;
 }