Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
compat-openssl098.2467
openssl-CVE-2014-3505.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2014-3505.patch of Package compat-openssl098.2467
commit 1b7024fb69161619855d86b80ae0681ea802e245 Author: Adam Langley <agl@imperialviolet.org> Date: Fri Jun 6 14:19:21 2014 -0700 Avoid double free when processing DTLS packets. The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org> Index: openssl-0.9.8j/ssl/d1_both.c =================================================================== --- openssl-0.9.8j.orig/ssl/d1_both.c 2014-08-08 15:11:38.253762668 +0200 +++ openssl-0.9.8j/ssl/d1_both.c 2014-08-08 15:11:42.657812704 +0200 @@ -614,8 +614,7 @@ dtls1_process_out_of_seq_message(SSL *s, return DTLS1_HM_FRAGMENT_RETRY; err: - if ( frag != NULL) dtls1_hm_fragment_free(frag); - if ( item != NULL) OPENSSL_free(item); + if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor