提交 bff1ce4e 编写于 作者: A Adam Langley 提交者: Matt Caswell

Avoid double free when processing DTLS packets.

The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
上级 a46149c6
...@@ -698,8 +698,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) ...@@ -698,8 +698,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
return DTLS1_HM_FRAGMENT_RETRY; return DTLS1_HM_FRAGMENT_RETRY;
err: err:
if (frag != NULL) dtls1_hm_fragment_free(frag); if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
if (item != NULL) OPENSSL_free(item);
*ok = 0; *ok = 0;
return i; return i;
} }
...@@ -783,8 +782,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) ...@@ -783,8 +782,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
return DTLS1_HM_FRAGMENT_RETRY; return DTLS1_HM_FRAGMENT_RETRY;
err: err:
if ( frag != NULL) dtls1_hm_fragment_free(frag); if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
if ( item != NULL) OPENSSL_free(item);
*ok = 0; *ok = 0;
return i; return i;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册