From 985cceaa97a2e7c8d493bde11452f54895208bfe Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Fri, 27 Mar 2026 09:15:22 -0400 Subject: [PATCH] Fix session cache restore dangling pointer (ZD 21423) Reinitialize pointer fields in WOLFSSL_SESSION after raw XMEMCPY or XFREAD in wolfSSL_memrestore_session_cache and wolfSSL_restore_session_cache. After restore, ticket is reset to staticTicket, ticketLenAlloc to 0, and peer to NULL. --- src/ssl_sess.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 5501c5cc2d..7ccc526f6a 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -522,6 +522,22 @@ int wolfSSL_memrestore_session_cache(const void* mem, int sz) #endif XMEMCPY(&SessionCache[i], row++, SIZEOF_SESSION_ROW); + #ifndef SESSION_CACHE_DYNAMIC_MEM + /* Reset pointers to safe values after raw copy */ + { + int j; + for (j = 0; j < SESSIONS_PER_ROW; j++) { + WOLFSSL_SESSION* s = &SessionCache[i].Sessions[j]; + #ifdef HAVE_SESSION_TICKET + s->ticket = s->staticTicket; + s->ticketLenAlloc = 0; + #endif + #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) + s->peer = NULL; + #endif + } + } + #endif #ifdef ENABLE_SESSION_CACHE_ROW_LOCK SESSION_ROW_UNLOCK(&SessionCache[i]); #endif @@ -681,6 +697,22 @@ int wolfSSL_restore_session_cache(const char *fname) #endif ret = (int)XFREAD(&SessionCache[i], SIZEOF_SESSION_ROW, 1, file); + #ifndef SESSION_CACHE_DYNAMIC_MEM + /* Reset pointers to safe values after raw copy */ + { + int j; + for (j = 0; j < SESSIONS_PER_ROW; j++) { + WOLFSSL_SESSION* s = &SessionCache[i].Sessions[j]; + #ifdef HAVE_SESSION_TICKET + s->ticket = s->staticTicket; + s->ticketLenAlloc = 0; + #endif + #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) + s->peer = NULL; + #endif + } + } + #endif #ifdef ENABLE_SESSION_CACHE_ROW_LOCK SESSION_ROW_UNLOCK(&SessionCache[i]); #endif