Avoid double free when processing DTLS packets.

The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Emilia Käsper <emilia@openssl.org>

Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Emilia Käsper <emilia@openssl.org>
bff1ce4e · Adam Langley · Matt Caswell · a46149c6 · bff1ce4e
隐藏空白更改
内联并排

Showing with 2 addition and 4 deletion

ssl/d1_both.c ssl/d1_both.c +2 -4

未找到文件。
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -698,8 +698,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	return DTLS1_HM_FRAGMENT_RETRY;

 err:
-	if (frag != NULL) dtls1_hm_fragment_free(frag);
-	if (item != NULL) OPENSSL_free(item);
+	if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
 	*ok = 0;
 	return i;
 	}
@@ -783,8 +782,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	return DTLS1_HM_FRAGMENT_RETRY;

 err:
-	if ( frag != NULL) dtls1_hm_fragment_free(frag);
-	if ( item != NULL) OPENSSL_free(item);
+	if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
 	*ok = 0;
 	return i;
 	}