File openssl-CVE-2014-3505.patch of Package compat-openssl098.703

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-CVE-2014-3505.patch of Package compat-openssl098.703

commit 1b7024fb69161619855d86b80ae0681ea802e245
Author: Adam Langley <agl@imperialviolet.org>
Date:   Fri Jun 6 14:19:21 2014 -0700

Avoid double free when processing DTLS packets.
    
    The |item| variable, in both of these cases, may contain a pointer to a
    |pitem| structure within |s->d1->buffered_messages|. It was being freed
    in the error case while still being in |buffered_messages|. When the
    error later caused the |SSL*| to be destroyed, the item would be double
    freed.
    
    Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
    inconsistent with the other error paths (but correct).
    
    Fixes CVE-2014-3505
    
    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Emilia Käsper <emilia@openssl.org>

Index: openssl-0.9.8j/ssl/d1_both.c
===================================================================
--- openssl-0.9.8j.orig/ssl/d1_both.c	2014-08-08 15:11:38.253762668 +0200
+++ openssl-0.9.8j/ssl/d1_both.c	2014-08-08 15:11:42.657812704 +0200
@@ -614,8 +614,7 @@ dtls1_process_out_of_seq_message(SSL *s,
 	return DTLS1_HM_FRAGMENT_RETRY;
 
 err:
-	if ( frag != NULL) dtls1_hm_fragment_free(frag);
-	if ( item != NULL) OPENSSL_free(item);
+	if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
 	*ok = 0;
 	return i;
 	}

Places

File openssl-CVE-2014-3505.patch of Package compat-openssl098.703

Places