From bf2b14371457bc443895943008b5aa2b82e8d25b Mon Sep 17 00:00:00 2001 From: miod <> Date: Sun, 18 May 2014 16:08:37 +0000 Subject: Make sure ssl3_setup_buffers() does not return upon error with a freed pqueue still chained, by inserting it into the list only after all possible failure conditions have been avoided. Reported and fix proposed by David Ramos; ok beck@ --- src/lib/libssl/d1_pkt.c | 14 +++++++------- src/lib/libssl/src/ssl/d1_pkt.c | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 5d3aaceac6..df18e5bae3 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c @@ -247,13 +247,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) } #endif - /* insert should not fail, since duplicates are dropped */ - if (pqueue_insert(queue->q, item) == NULL) { - free(rdata); - pitem_free(item); - return (0); - } - s->packet = NULL; s->packet_length = 0; memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); @@ -266,6 +259,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (0); } + /* insert should not fail, since duplicates are dropped */ + if (pqueue_insert(queue->q, item) == NULL) { + free(rdata); + pitem_free(item); + return (0); + } + return (1); } diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c index 5d3aaceac6..df18e5bae3 100644 --- a/src/lib/libssl/src/ssl/d1_pkt.c +++ b/src/lib/libssl/src/ssl/d1_pkt.c @@ -247,13 +247,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) } #endif - /* insert should not fail, since duplicates are dropped */ - if (pqueue_insert(queue->q, item) == NULL) { - free(rdata); - pitem_free(item); - return (0); - } - s->packet = NULL; s->packet_length = 0; memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); @@ -266,6 +259,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (0); } + /* insert should not fail, since duplicates are dropped */ + if (pqueue_insert(queue->q, item) == NULL) { + free(rdata); + pitem_free(item); + return (0); + } + return (1); } -- cgit v1.2.3-55-g6feb