From 40a706286febe0279336c96374c607daaa1b1d49 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Wed, 28 May 2008 22:15:48 +0000 Subject: [PATCH] From HEAD: Fix double-free in TLS server name extensions which could lead to a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) Reviewed by: openssl-security@openssl.org Obtained from: jorton@redhat.com --- CHANGES | 4 ++++ ssl/t1_lib.c | 1 + 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 63fa6aa972..5d6c7a8d0a 100644 --- a/CHANGES +++ b/CHANGES @@ -690,6 +690,10 @@ Changes between 0.9.8g and 0.9.8h [xx XXX xxxx] + *) Fix double free in TLS server name extensions which could lead to + a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) + [Joe Orton] + *) Clear error queue in SSL_CTX_use_certificate_chain_file() Clear the error queue to ensure that error entries left from diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index f3c5a16e48..bde52b126b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -637,6 +637,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); + s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } -- 2.25.1