From ea649b7abe2951d17e58ad44f3d55e0d543835f4 Mon Sep 17 00:00:00 2001
From: andy <liuyang01@kylinos.cn>
Date: Fri, 1 Aug 2025 02:16:34 +0000
Subject: [PATCH] Fix CVE-2024-4741

---
 ...y-free-the-read-buffers-if-not-using.patch | 67 +++++++++++++++++++
 openresty-openssl111.spec                     |  8 ++-
 2 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch

diff --git a/backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch b/backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch
new file mode 100644
index 0000000..ef337ed
--- /dev/null
+++ b/backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch
@@ -0,0 +1,67 @@
+From 704f725b96aa373ee45ecfb23f6abfe8be8d9177 Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 4bcffcc41e364..1569997bea2d3 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index 234656bf93942..b60f71c8cb23b 100644
+--- a/ssl/record/record.h
++++ b/ssl/record/record.h
+@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index e747b7f90aa71..9088223b9f6bb 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -5493,6 +5493,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
diff --git a/openresty-openssl111.spec b/openresty-openssl111.spec
index e9fe319..90f9fcd 100644
--- a/openresty-openssl111.spec
+++ b/openresty-openssl111.spec
@@ -1,6 +1,6 @@
 Name:               openresty-openssl111
 Version:            1.1.1h
-Release:            7
+Release:            8
 Summary:            OpenSSL library for OpenResty
 
 Group:              Development/Libraries
@@ -17,6 +17,7 @@ Patch101:           backport-CVE-2022-4450.patch
 Patch102:           backport-CVE-2022-4304-Fix-Timing-Oracle-in-RSA-decryption.patch
 Patch103:	    backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch
 Patch104:           backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch
+Patch105:           backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch
 
 BuildRoot:          %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -125,6 +126,7 @@ Provides C header and static library for the debug version of OpenResty's OpenSS
 %patch102 -p1
 %patch103 -p1
 %patch104 -p1
+%patch105 -p1
 
 %build
 bash ./copy-dir.sh
@@ -267,6 +269,10 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a
 
 %changelog
+* Fri Aug 1 2025 andy <liuyang01@kylinos.cn> - 1.1.1h-8
+- Fix CVE-2024-4741
+  Only free the read buffers if we're not using them
+
 * Sun Jun 29 2025 andy <liuyang01@kylinos.cn> - 1.1.1h-7
 - Fix CVE-2024-9143
 
-- 
Gitee