Commit 6d1d85c31b for openssl.org

commit 6d1d85c31b4840d08b48e57b1812a37cb9aa89ec
Author: Tomas Mraz <tomas@openssl.org>
Date:   Mon Dec 1 17:14:21 2025 +0100

    dtls_get_reassembled_message(): Fix potential use-after-realloc

    Fortunately due to the initial size of the allocated
    buffer and the limit for unfragmented DTLS record size
    the use-after-realloc cannot be triggered.

    But we fix the potentially problematic code anyway.

    Reported Joshua Rogers. It was found with the ZeroPath security
    tooling.

    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/29278)

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 78baeed903..b26ecf42ae 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -946,7 +946,8 @@ static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype,
     }

     if (frag_len > 0) {
-        p += DTLS1_HM_HEADER_LENGTH;
+        /* dtls1_preprocess_fragment() above could reallocate init_buf */
+        p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

         i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
                                         &p[frag_off], frag_len, 0, &readbytes);