From 63414e64e66e376654e993ac966e3b2f9d849d3b Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sat, 28 Jan 2017 15:14:07 +0100 Subject: [PATCH] Correct pointer to be freed The pointer that was freed in the SSLv2 section of ssl_bytes_to_cipher_list may have stepped up from its allocated position. Use a pointer that is guaranteed to point at the start of the allocated block instead. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/2312) --- ssl/statem/statem_srvr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 0043b05dac..2e76b80b86 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3489,7 +3489,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, || (leadbyte != 0 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { *al = SSL_AD_INTERNAL_ERROR; - OPENSSL_free(raw); + OPENSSL_free(s->s3->tmp.ciphers_raw); s->s3->tmp.ciphers_raw = NULL; s->s3->tmp.ciphers_rawlen = 0; goto err; -- 2.25.1