From d535de59dc5c181a7d99c29fd96670de7865ee1c Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 27 Nov 2014 16:07:33 +0000
Subject: Avoid a double-free in an error path.

Reported by Felix Groebert of the Google Security Team.

ok beck@ miod@
---
 src/lib/libssl/d1_srtp.c         | 3 +--
 src/lib/libssl/src/ssl/d1_srtp.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 1443964776..eeb19a6183 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.9 2014/11/16 14:12:47 jsing Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.10 2014/11/27 16:07:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -355,7 +355,6 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al)
 		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
 		    SSL_R_BAD_SRTP_MKI_VALUE);
 		*al = SSL_AD_DECODE_ERROR;
-		sk_SRTP_PROTECTION_PROFILE_free(clnt);
 		goto done;
 	}
 
diff --git a/src/lib/libssl/src/ssl/d1_srtp.c b/src/lib/libssl/src/ssl/d1_srtp.c
index 1443964776..eeb19a6183 100644
--- a/src/lib/libssl/src/ssl/d1_srtp.c
+++ b/src/lib/libssl/src/ssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.9 2014/11/16 14:12:47 jsing Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.10 2014/11/27 16:07:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -355,7 +355,6 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al)
 		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
 		    SSL_R_BAD_SRTP_MKI_VALUE);
 		*al = SSL_AD_DECODE_ERROR;
-		sk_SRTP_PROTECTION_PROFILE_free(clnt);
 		goto done;
 	}
 
-- 
cgit v1.2.3-55-g6feb