Issue summary: Calling the OpenSSL API function SSL_free_buffers may causememory to be accessed that was previously freed in some situationsImpact summary: A use after free can have a range of potential consequences suchas the corruption of valid data, crashes or execution of arbitrary code.However, only applications that directly call the SSL_free_buffers function areaffected by this issue. Applications that do not call this function are notvulnerable. Our investigations indicate that this function is rarely used byapplications.The SSL_free_buffers function is used to free the internal OpenSSL buffer usedwhen processing an incoming record from the network. The call is only expectedto succeed if the buffer is not currently in use. However, two scenarios havebeen identified where the buffer is freed even when still in use.The first scenario occurs where a record header has been received from thenetwork and processed by OpenSSL, but the full record body has not yet arrived.In this case calling SSL_free_buffers will succeed even though a record has onlybeen partially processed and the buffer is still in use.The second scenario occurs where a full record containing application data hasbeen received and processed by OpenSSL but the application has only read part ofthis data. Again a call to SSL_free_buffers will succeed even though the bufferis still in use.While these scenarios could occur accidentally during normal operation amalicious attacker could attempt to engineer a stituation where this occurs.We are not aware of this issue being actively exploited.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
