diff options
| author | miod <> | 2014-05-18 16:08:37 +0000 |
|---|---|---|
| committer | miod <> | 2014-05-18 16:08:37 +0000 |
| commit | bf2b14371457bc443895943008b5aa2b82e8d25b (patch) | |
| tree | 8e936a8194c9b9f126675062d5b6654390818591 | |
| parent | f1e8706ced8f59e8cca67cb75b29c503731e2555 (diff) | |
| download | openbsd-bf2b14371457bc443895943008b5aa2b82e8d25b.tar.gz openbsd-bf2b14371457bc443895943008b5aa2b82e8d25b.tar.bz2 openbsd-bf2b14371457bc443895943008b5aa2b82e8d25b.zip | |
Make sure ssl3_setup_buffers() does not return upon error with a freed
pqueue still chained, by inserting it into the list only after all possible
failure conditions have been avoided.
Reported and fix proposed by David Ramos; ok beck@
| -rw-r--r-- | src/lib/libssl/d1_pkt.c | 14 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/d1_pkt.c | 14 |
2 files changed, 14 insertions, 14 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 5d3aaceac6..df18e5bae3 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
| @@ -247,13 +247,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | |||
| 247 | } | 247 | } |
| 248 | #endif | 248 | #endif |
| 249 | 249 | ||
| 250 | /* insert should not fail, since duplicates are dropped */ | ||
| 251 | if (pqueue_insert(queue->q, item) == NULL) { | ||
| 252 | free(rdata); | ||
| 253 | pitem_free(item); | ||
| 254 | return (0); | ||
| 255 | } | ||
| 256 | |||
| 257 | s->packet = NULL; | 250 | s->packet = NULL; |
| 258 | s->packet_length = 0; | 251 | s->packet_length = 0; |
| 259 | memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); | 252 | memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); |
| @@ -266,6 +259,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | |||
| 266 | return (0); | 259 | return (0); |
| 267 | } | 260 | } |
| 268 | 261 | ||
| 262 | /* insert should not fail, since duplicates are dropped */ | ||
| 263 | if (pqueue_insert(queue->q, item) == NULL) { | ||
| 264 | free(rdata); | ||
| 265 | pitem_free(item); | ||
| 266 | return (0); | ||
| 267 | } | ||
| 268 | |||
| 269 | return (1); | 269 | return (1); |
| 270 | } | 270 | } |
| 271 | 271 | ||
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c index 5d3aaceac6..df18e5bae3 100644 --- a/src/lib/libssl/src/ssl/d1_pkt.c +++ b/src/lib/libssl/src/ssl/d1_pkt.c | |||
| @@ -247,13 +247,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | |||
| 247 | } | 247 | } |
| 248 | #endif | 248 | #endif |
| 249 | 249 | ||
| 250 | /* insert should not fail, since duplicates are dropped */ | ||
| 251 | if (pqueue_insert(queue->q, item) == NULL) { | ||
| 252 | free(rdata); | ||
| 253 | pitem_free(item); | ||
| 254 | return (0); | ||
| 255 | } | ||
| 256 | |||
| 257 | s->packet = NULL; | 250 | s->packet = NULL; |
| 258 | s->packet_length = 0; | 251 | s->packet_length = 0; |
| 259 | memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); | 252 | memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); |
| @@ -266,6 +259,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | |||
| 266 | return (0); | 259 | return (0); |
| 267 | } | 260 | } |
| 268 | 261 | ||
| 262 | /* insert should not fail, since duplicates are dropped */ | ||
| 263 | if (pqueue_insert(queue->q, item) == NULL) { | ||
| 264 | free(rdata); | ||
| 265 | pitem_free(item); | ||
| 266 | return (0); | ||
| 267 | } | ||
| 268 | |||
| 269 | return (1); | 269 | return (1); |
| 270 | } | 270 | } |
| 271 | 271 | ||