RUSTSEC-2025-0004
- Source
- https://rustsec.org/advisories/RUSTSEC-2025-0004
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0004.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2025-0004
- Aliases
- Published
- 2025-02-02T12:00:00Z
- Modified
- 2025-02-03T18:56:56.735670Z
- Summary
- ssl::select_next_proto use after free
- Details
-
In
opensslversions before0.10.70,ssl::select_next_protocan return a slice pointing into theserverargument's buffer but with a lifetime bound to theclientargument. In situations where theserverbuffer's lifetime is shorter than theclientbuffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.openssl0.10.70 fixes the signature ofssl::select_next_prototo properly constrain the output buffer's lifetime to that of both input buffers.In standard usage of
ssl::select_next_protoin the callback passed toSslContextBuilder::set_alpn_select_callback, code is only affected if theserverbuffer is constructed within the callback. For example:Not vulnerable - the server buffer has a
'staticlifetime:builder.set_alpn_select_callback(|_, client_protos| { ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK) });Not vulnerable - the server buffer outlives the handshake:
let server_protos = b"\x02h2".to_vec(); builder.set_alpn_select_callback(|_, client_protos| { ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK) });Vulnerable - the server buffer is freed when the callback returns:
builder.set_alpn_select_callback(|_, client_protos| { let server_protos = b"\x02h2".to_vec(); ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK) }); - Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / openssl
Package
- Name
- openssl
- View open source insights on deps.dev
- Purl
- pkg:cargo/openssl