From d3bc98058599a5feffbe68d4e5f2ca43a698d95b Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Fri, 10 Mar 2017 15:10:41 +0100 Subject: [PATCH] Avoid questionable use of the value of a pointer that refers to space deallocated by a call to the free function in tls_decrypt_ticket. Reviewed-by: Matt Caswell Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2897) (cherry picked from commit 13ed1afa923f4ffb553e389de08f26e9ce84e8a2) --- ssl/t1_lib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 22a368defe..83e493eb7c 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1311,10 +1311,11 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick, p = sdec; sess = d2i_SSL_SESSION(NULL, &p, slen); + slen -= p - sdec; OPENSSL_free(sdec); if (sess) { /* Some additional consistency checks */ - if (p != sdec + slen || sess->session_id_length != 0) { + if (slen != 0 || sess->session_id_length != 0) { SSL_SESSION_free(sess); return TICKET_NO_DECRYPT; } -- 2.25.1