From: Adam Langley Date: Fri, 6 Jun 2014 21:19:21 +0000 (-0700) Subject: Avoid double free when processing DTLS packets. X-Git-Tag: OpenSSL_1_0_0n~13 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=84361b898d456220039bc8b292f7b0ba70224a26;p=oweals%2Fopenssl.git Avoid double free when processing DTLS packets. The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: Matt Caswell Reviewed-by: Emilia Käsper --- diff --git a/ssl/d1_both.c b/ssl/d1_both.c index eaa2548a3a..f35861de62 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) return DTLS1_HM_FRAGMENT_RETRY; err: - if (frag != NULL) dtls1_hm_fragment_free(frag); - if (item != NULL) OPENSSL_free(item); + if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; } @@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) return DTLS1_HM_FRAGMENT_RETRY; err: - if ( frag != NULL) dtls1_hm_fragment_free(frag); - if ( item != NULL) OPENSSL_free(item); + if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; }