diff options
author | Adam Langley <agl@imperialviolet.org> | 2014-06-06 14:19:21 -0700 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-08-06 20:36:40 +0100 |
commit | bff1ce4e6a1c57c3d0a5f9e4f85ba6385fccfe8b (patch) | |
tree | c24f00a3c32889ced0f1a06a89fd94ee151a02c1 | |
parent | a46149c672a45b073a9669a31664308a7025cdb3 (diff) | |
download | openssl-new-bff1ce4e6a1c57c3d0a5f9e4f85ba6385fccfe8b.tar.gz |
Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.
Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).
Fixes CVE-2014-3505
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-rw-r--r-- | ssl/d1_both.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 51d484d7ea..b720a54311 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -698,8 +698,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) return DTLS1_HM_FRAGMENT_RETRY; err: - if (frag != NULL) dtls1_hm_fragment_free(frag); - if (item != NULL) OPENSSL_free(item); + if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; } @@ -783,8 +782,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) return DTLS1_HM_FRAGMENT_RETRY; err: - if ( frag != NULL) dtls1_hm_fragment_free(frag); - if ( item != NULL) OPENSSL_free(item); + if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; } |