rust-openssl Use-After-Free Vulnerability in ALPN Protocol Selection

A use-after-free vulnerability has been identified in the rust-openssl crate, specifically in versions 0.10.0 prior to 0.10.70. The issue arises in the `ssl::select_next_proto` function, which can return a slice pointing into the server buffer but with a lifetime tied to the client buffer. If the server buffer's lifetime is shorter than that of the client, it can lead to a use-after-free condition. This vulnerability may cause the server to crash or to leak arbitrary memory contents to the client.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing the server to crash or to return arbitrary memory contents to the client.

Reproduction

The vulnerability can be reproduced by constructing a server buffer within the callback passed to `SslContextBuilder::set_alpn_select_callback`. This will create a short-lived buffer that is freed when the callback returns, allowing `ssl::select_next_proto` to return a slice that points to freed memory.

Remediation

Users are advised to upgrade to rust-openssl version 0.10.70 or later, which fixes the vulnerability by properly constraining the output buffer's lifetime to match that of both input buffers.