From 943f4f6160684320fb9956087c603689ed9ff731 Mon Sep 17 00:00:00 2001
From: Andy Fiddaman <illumos@fiddaman.net>
Date: Tue, 4 Jun 2024 18:02:06 +0000
Subject: [PATCH 1/2] CVE-2024-4741

diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/record/rec_layer_s3.c a/ssl/record/rec_layer_s3.c
--- a~/ssl/record/rec_layer_s3.c	1970-01-01 00:00:00
+++ a/ssl/record/rec_layer_s3.c	1970-01-01 00:00:00
@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECO
     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
 }
 
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
+{
+    if (rl->rstate == SSL_ST_READ_BODY)
+        return 1;
+    if (RECORD_LAYER_processed_read_pending(rl))
+        return 1;
+    return 0;
+}
+
 /* Checks if we have decrypted unread record data pending */
 int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
 {
diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/record/record.h a/ssl/record/record.h
--- a~/ssl/record/record.h	1970-01-01 00:00:00
+++ a/ssl/record/record.h	1970-01-01 00:00:00
@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *
 int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
 int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
 int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
 int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/ssl_lib.c a/ssl/ssl_lib.c
--- a~/ssl/ssl_lib.c	1970-01-01 00:00:00
+++ a/ssl/ssl_lib.c	1970-01-01 00:00:00
@@ -5248,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
         return 0;
 
+    if (RECORD_LAYER_data_present(rl))
+        return 0;
+
     RECORD_LAYER_release(rl);
     return 1;
 }