Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org> (Imported from upstream's 49850075555893c9c60d5b981deb697f3b9515ea) Change-Id: Ie40007184f6194ba032b4213c18d36254e80aaa6 Reviewed-on: https://boringssl-review.googlesource.com/1432 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
eeb9f491e8
commit
d06afe40ab
@ -701,8 +701,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
|||||||
return DTLS1_HM_FRAGMENT_RETRY;
|
return DTLS1_HM_FRAGMENT_RETRY;
|
||||||
|
|
||||||
err:
|
err:
|
||||||
if (frag != NULL) dtls1_hm_fragment_free(frag);
|
if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
|
||||||
if (item != NULL) OPENSSL_free(item);
|
|
||||||
*ok = 0;
|
*ok = 0;
|
||||||
return i;
|
return i;
|
||||||
}
|
}
|
||||||
@ -786,8 +785,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
|||||||
return DTLS1_HM_FRAGMENT_RETRY;
|
return DTLS1_HM_FRAGMENT_RETRY;
|
||||||
|
|
||||||
err:
|
err:
|
||||||
if ( frag != NULL) dtls1_hm_fragment_free(frag);
|
if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
|
||||||
if ( item != NULL) OPENSSL_free(item);
|
|
||||||
*ok = 0;
|
*ok = 0;
|
||||||
return i;
|
return i;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user