From 3a54f9e01592df7ef3ffd845b26178d3c640f5de Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Fri, 20 Jun 2014 12:00:00 -0700 Subject: [PATCH] Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362 (Imported from upstream's 8de85b00484e7e4ca6f0b6e174fb1dc97db91281) --- ssl/d1_pkt.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index a3bc1e6e..f0837796 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -231,14 +231,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) item->data = rdata; - /* insert should not fail, since duplicates are dropped */ - if (pqueue_insert(queue->q, item) == NULL) - { - OPENSSL_free(rdata); - pitem_free(item); - return(0); - } - s->packet = NULL; s->packet_length = 0; memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); @@ -251,7 +243,15 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) pitem_free(item); return(0); } - + + /* insert should not fail, since duplicates are dropped */ + if (pqueue_insert(queue->q, item) == NULL) + { + OPENSSL_free(rdata); + pitem_free(item); + return(0); + } + return(1); }