PR: 1923

Submitted by: Daniel Mentz <daniel.m@sent.com>, Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Don't access freed data structure.

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index ffbe5131d78a2ecba229b14abfb75f98de802601..8883760da50e6683584cecfd35a8c83ec56fd067 100644 (file)
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 
        if ( s->d1->handshake_read_seq == frag->msg_header.seq)
                {
+               unsigned long frag_len = frag->msg_header.frag_len;
                pqueue_pop(s->d1->buffered_messages);
 
                al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
                if (al==0)
                        {
                        *ok = 1;
-                       return frag->msg_header.frag_len;
+                       return frag_len;
                        }
 
                ssl3_send_alert(s,SSL3_AL_FATAL,al);