PR: 2314

author Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:33:10 +0000 (12:33 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:33:10 +0000 (12:33 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:33:10 +0000 (12:33 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:33:10 +0000 (12:33 +0000)
diff --git a/CHANGES b/CHANGES

index b6708ffdc6cacadd4c97b1a79f29cf262569fd3c..80d0d4a67a197413743e23dffc5a2eb8794c182a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -857,6 +857,9 @@
    
   Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
  
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
    *) Don't reencode certificate when calculating signature: cache and use
       the original encoding instead. This makes signature verification of
       some broken encodings work correctly.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index 41769febab79f5bfe70d92b46b1f777c1a0ca654..6eab135c05689aefd10c0bfe751b6930bea535e5 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1508,6 +1508,7 @@ int ssl3_get_key_exchange(SSL *s)
                 s->session->sess_cert->peer_ecdh_tmp=ecdh;
                 ecdh=NULL;
                 BN_CTX_free(bn_ctx);
+               bn_ctx = NULL;
                 EC_POINT_free(srvr_ecpoint);
                 srvr_ecpoint = NULL;
                 }
author	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:33:10 +0000 (12:33 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:33:10 +0000 (12:33 +0000)
CHANGES		patch \| blob \| history
ssl/s3_clnt.c		patch \| blob \| history