53 lines
1.6 KiB
Diff
53 lines
1.6 KiB
Diff
From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001
|
|
From: Adam Langley <agl@imperialviolet.org>
|
|
Date: Fri, 6 Jun 2014 14:19:21 -0700
|
|
Subject: [PATCH] Avoid double free when processing DTLS packets.
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The |item| variable, in both of these cases, may contain a pointer to a
|
|
|pitem| structure within |s->d1->buffered_messages|. It was being freed
|
|
in the error case while still being in |buffered_messages|. When the
|
|
error later caused the |SSL*| to be destroyed, the item would be double
|
|
freed.
|
|
|
|
Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
|
|
inconsistent with the other error paths (but correct).
|
|
|
|
Fixes CVE-2014-3505
|
|
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
---
|
|
ssl/d1_both.c | 6 ++----
|
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
|
|
index c1eb970..cdb83b6 100644
|
|
--- a/ssl/d1_both.c
|
|
+++ b/ssl/d1_both.c
|
|
@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
|
return DTLS1_HM_FRAGMENT_RETRY;
|
|
|
|
err:
|
|
- if (frag != NULL) dtls1_hm_fragment_free(frag);
|
|
- if (item != NULL) OPENSSL_free(item);
|
|
+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
|
|
*ok = 0;
|
|
return i;
|
|
}
|
|
@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
|
return DTLS1_HM_FRAGMENT_RETRY;
|
|
|
|
err:
|
|
- if ( frag != NULL) dtls1_hm_fragment_free(frag);
|
|
- if ( item != NULL) OPENSSL_free(item);
|
|
+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
|
|
*ok = 0;
|
|
return i;
|
|
}
|
|
--
|
|
1.8.3.1
|
|
|