From 3b6d92e82b1421b811bcdec7f7fdfb31eeef18de Mon Sep 17 00:00:00 2001
From: jca <>
Date: Thu, 27 Feb 2014 21:04:57 +0000
Subject: SECURITY fixes backported from openssl-1.0.1f.  ok mikeb@

CVE-2013-4353 NULL pointer dereference with crafted Next Protocol
 Negotiation record in TLS handshake.
Upstream: 197e0ea

CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client.
Upstream: ca98926, 0294b2b

CVE-2013-6450 Fix DTLS retransmission from previous session.
Upstream: 3462896
---
 src/lib/libssl/d1_both.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/lib/libssl/d1_both.c')

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index de8bab873f..72b3b20ae4 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -214,6 +214,13 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
 static void
 dtls1_hm_fragment_free(hm_fragment *frag)
 	{
+
+	if (frag->msg_header.is_ccs)
+		{
+		EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
+		EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
+		}
+
 	if (frag->fragment) OPENSSL_free(frag->fragment);
 	if (frag->reassembly) OPENSSL_free(frag->reassembly);
 	OPENSSL_free(frag);
-- 
cgit v1.2.3-55-g6feb