Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX: potential use-after-free in ./botan tls_proxy #4177

Merged
merged 1 commit into from
Jul 4, 2024
Merged

FIX: potential use-after-free in ./botan tls_proxy #4177

merged 1 commit into from
Jul 4, 2024

Conversation

reneme
Copy link
Collaborator

@reneme reneme commented Jul 4, 2024
edited
Loading

This fixes an issue that, in rare cases, causes a use-after-free in the tls_proxy CLI tool.

sequenceDiagram
    Client->>+Proxy: Connect
    Client->>Proxy: TLS Handshake
    Proxy-->>Client: 
    Proxy->>+Server: Connect
    Client->>Proxy: Disconnect
    Proxy-->>-Client: 
    Note left of Proxy: this-ptr invalidated
    Server-->>-Proxy: ACK
    Note over Proxy: Crash!
Loading

If the TLS session to the client was established (when tls_session_activated() was called), and the connection to the server was also established successfully (error code in onConnect() callback was not set); but (in the mean time) the this-pointer was deallocated via std::enable_shared_from_this, we end up in a use-after-free situation.

This sporadically appeared in CI after updating to Ubuntu 24.04 but wasn't reproducible locally, see #4112. I am confident that we did see this race on Windows in January but didn't investigate any further.

NOTE: This alone won't fix the glitches in CI. They just won't make ./botan tls_proxy crash any longer. I'll address the CI glitches independently.

@reneme
FIX: potential use-after-free in tls_proxy
b3b21ac 
If the TLS session to the client was established (when tls_session_activated()
was called), and the connection to the server was also established successfully
(ec in onConnect() callback was not set); but -- in the mean time -- the this-
pointer was deallocated via std::enable_shared_from_this, we end up in a use-
after free situation.

This sporadically appeared in CI but wasn't reproducible locally, see randombit#4112.
@reneme reneme added the bug label Jul 4, 2024
@reneme reneme added this to the Botan 3.5.0 milestone Jul 4, 2024
@reneme reneme requested a review from randombit July 4, 2024 06:50
@reneme reneme self-assigned this Jul 4, 2024
@coveralls
Copy link

Coverage Status

coverage: 91.723% (-0.008%) from 91.731%
when pulling b3b21ac on Rohde-Schwarz:fix/use_after_free_in_tls_proxy
into f4c26e4 on randombit:master.

@reneme reneme mentioned this pull request Jul 4, 2024
Merged
@randombit
Copy link
Owner

Subtle! Nice work tracking this down.

@reneme
Copy link
Collaborator Author

reneme commented Jul 4, 2024

I was "so" close to just rewrite the tls_proxy using boost and coroutines. ;)

@reneme reneme merged commit a75bb25 into randombit:master Jul 4, 2024
39 checks passed
@reneme reneme deleted the fix/use_after_free_in_tls_proxy branch July 4, 2024 09:36
@reneme reneme mentioned this pull request Jul 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randombit randombit randombit approved these changes

Assignees

@reneme reneme

Labels
bug
Projects
None yet
Milestone
Botan 3.5.0
Development

Successfully merging this pull request may close these issues.
3 participants
@reneme @coveralls @randombit