Avoid double free when processing DTLS packets.
authorAdam Langley <agl@imperialviolet.org>
Fri, 6 Jun 2014 21:19:21 +0000 (14:19 -0700)
committerMatt Caswell <matt@openssl.org>
Wed, 6 Aug 2014 19:41:23 +0000 (20:41 +0100)
commit49850075555893c9c60d5b981deb697f3b9515ea
treeaaf2dbd3a94db8f39df553e0366ed68b6b12f0d6
parent89d2f8f1a973c42ef24fe9d6d5b57be1c536c32e
Avoid double free when processing DTLS packets.

The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
ssl/d1_both.c