Skip to content

Commit bff1ce4

Browse files
aglmattcaswell
authored andcommitted
Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef7 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
1 parent a46149c commit bff1ce4

File tree

1 file changed

+2
-4
lines changed

1 file changed

+2
-4
lines changed

Diff for: ssl/d1_both.c

+2-4
Original file line numberDiff line numberDiff line change
@@ -698,8 +698,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
698698
return DTLS1_HM_FRAGMENT_RETRY;
699699

700700
err:
701-
if (frag != NULL) dtls1_hm_fragment_free(frag);
702-
if (item != NULL) OPENSSL_free(item);
701+
if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
703702
*ok = 0;
704703
return i;
705704
}
@@ -783,8 +782,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
783782
return DTLS1_HM_FRAGMENT_RETRY;
784783

785784
err:
786-
if ( frag != NULL) dtls1_hm_fragment_free(frag);
787-
if ( item != NULL) OPENSSL_free(item);
785+
if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
788786
*ok = 0;
789787
return i;
790788
}

0 commit comments

Comments
 (0)