diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2009-08-23 14:15:28 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2009-08-23 14:15:28 +0000 |
commit | 58c74b7534a4526075de41fd4b24bc769866523a (patch) | |
tree | 6c32e4652df546de40a7d32b291a91f7f3cd18fe | |
parent | f8f8fb827d260bb6161b82bb67de04c0a4c9868c (diff) | |
download | src-test2-58c74b7534a4526075de41fd4b24bc769866523a.tar.gz src-test2-58c74b7534a4526075de41fd4b24bc769866523a.zip |
Import DTLS fix from upstream OpenSSL 0.9.8 branch:
Do not access freed data structure.
Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.
Security: CVE-2009-1379
Obtained from: OpenSSL CVS
http://cvs.openssl.org/chngview?cn=18156
Notes
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=196463
-rw-r--r-- | ssl/d1_both.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 0c863179bc88..967d8c542ddb 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) if ( s->d1->handshake_read_seq == frag->msg_header.seq) { + unsigned long frag_len = frag->msg_header.frag_len; pqueue_pop(s->d1->buffered_messages); al=dtls1_preprocess_fragment(s,&frag->msg_header,max); @@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) if (al==0) { *ok = 1; - return frag->msg_header.frag_len; + return frag_len; } ssl3_send_alert(s,SSL3_AL_FATAL,al); |