From a6e56fbffd79e766cebfd7a7cf0a037d1a2885b6 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Sun, 19 Oct 2014 16:21:58 +0000
Subject: fix two remotely triggerable memory leaks. tested by jasper

---
 src/lib/libssl/src/ssl/d1_srtp.c | 1 +
 src/lib/libssl/src/ssl/t1_lib.c  | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/lib/libssl/src/ssl/d1_srtp.c b/src/lib/libssl/src/ssl/d1_srtp.c
index 928935bd8b..e994a0667a 100644
--- a/src/lib/libssl/src/ssl/d1_srtp.c
+++ b/src/lib/libssl/src/ssl/d1_srtp.c
@@ -213,6 +213,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
 		else
 			{
 			SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
+			sk_SRTP_PROTECTION_PROFILE_free(profiles);
 			return 1;
 			}
 
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 1cf17cce0d..1b69e4f34d 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -2188,8 +2188,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 	HMAC_Update(&hctx, etick, eticklen);
 	HMAC_Final(&hctx, tick_hmac, NULL);
 	HMAC_CTX_cleanup(&hctx);
-	if (timingsafe_bcmp(tick_hmac, etick + eticklen, mlen))
+	if (timingsafe_bcmp(tick_hmac, etick + eticklen, mlen)) {
+		EVP_CIPHER_CTX_cleanup(&ctx);
 		return 2;
+	}
 	/* Attempt to decrypt session data */
 	/* Move p after IV to start of encrypted ticket, update length */
 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
-- 
cgit v1.2.3-55-g6feb