Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix lifetimes in ssl::select_next_proto #2360

Merged
merged 1 commit into from
Feb 2, 2025
Merged

Fix lifetimes in ssl::select_next_proto #2360

merged 1 commit into from
Feb 2, 2025
+1 −1

Conversation

sfackler
Copy link
Owner

@sfackler sfackler commented Feb 2, 2025
edited
Loading

SSL_select_next_proto can return a pointer into either the client or server buffers, but the type signature of the function previously only bound the output buffer to the client buffer. This can result in a UAF in situations where the server slice does not point to a long-lived allocation.

Thanks to Matt Mastracci for reporting this issue.

@sfackler sfackler merged commit f014afb into master Feb 2, 2025
67 checks passed
@sfackler sfackler deleted the fix-alpn-lifetimes branch February 2, 2025 17:56
@cedricschwyter cedricschwyter mentioned this pull request Feb 3, 2025
Merged
@coolreader18
Copy link
Contributor

In the advisory, this is listed as a non-vulnerable use of the API:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

But that code no longer compiles with this patch, and I'm not exactly sure what the solution would be, besides to just leak server_protos (which isn't much of a solution at all). I feel like the main solution to this would be allowing borrows from the captured closure environment, but that isn't possible. Perhaps this could instead be a trait that allows borrowing from self, with a default implementation for closures to maintain backcompat? And then there could be a provided implementation that just uses select_next_proto, since I'd guess that's 99% of use cases.

@sfackler
Copy link
Owner Author

besides to just leak server_protos (which isn't much of a solution at all)

Unless you're dynamically constructing a bunch of short-lived contexts with different ALPN configurations that probably is a solution?

You could also write a select_next_proto equivalent in Rust that always returns a borrow out of client_protos. To be honest, it's wild to me that the OpenSSL API doesn't do that.

@coolreader18
Copy link
Contributor

coolreader18 commented Feb 11, 2025
edited
Loading

Unless you're dynamically constructing a bunch of short-lived contexts with different ALPN configurations that probably is a solution?

Fair enough lol. This is for rustpython, which exposes a _set_alpn_protocols method, so theoretically a user (or existing python code, or whatever) could indeed construct a bunch of contexts to do that. The second solution seems like a good idea, though it would be nice to not have to reimplement alpn parsing.

@coolreader18
Copy link
Contributor

I guess this kinda thing just works, I think:

let proto =
    ssl::select_next_proto(&server, client).ok_or(ssl::AlpnError::NOACK)?;
let pos = memchr::memmem::find(client, proto)
    .expect("selected alpn proto should be present in client protos");
Ok(&client[pos..proto.len()])

@sfackler
Copy link
Owner Author

Yeah that's an easy brute-force way to fix it.

@GustavoWidman GustavoWidman mentioned this pull request Feb 12, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sfackler @coolreader18