From ec8f246e6ed4d39a8a5417078eaa49f3e757c25d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 5 May 2016 09:35:10 +0100
Subject: [PATCH] Fix a double free in tls1_setup_key_block

If p2 == NULL then p1 can get freed twice and a crash could occur.

Issue reported by Shi Lei (Qihoo 360 Inc)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
---
 ssl/t1_enc.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 514fcb3e4e..b6d1ee95a5 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -673,7 +673,6 @@ int tls1_setup_key_block(SSL *s)
 
     if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) {
         SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(p1);
         goto err;
     }
 #ifdef TLS_DEBUG
-- 
2.25.1