In the Linux kernel, the following vulnerability has been resolved:
tls: fix NULL deref on tlsswsplice_eof() with empty record
syzkaller discovered that if tlsswspliceeof() is executed as part of
sendfile() when the plaintext/ciphertext skmsg are empty, the send path
gets confused because the empty ciphertext buffer does not have enough
space for the encryption overhead. This causes tlspushrecord() to go on
the split = true
path (which is only supposed to be used when interacting
with an attached BPF program), and then get further confused and hit the
tlsmergeopen_record() path, which then assumes that there must be at
least one populated buffer element, leading to a NULL deref.
It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tlsswsendmsglocked() via the tlstrimbothmsgs() path. tlsswpushpendingrecord() already handles this case correctly; let's do the same check in tlsswsplice_eof().