From 58c74b7534a4526075de41fd4b24bc769866523a Mon Sep 17 00:00:00 2001
From: "Simon L. B. Nielsen" <simon@FreeBSD.org>
Date: Sun, 23 Aug 2009 14:15:28 +0000
Subject: Import DTLS fix from upstream OpenSSL 0.9.8 branch:

Do not access freed data structure.

Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.

Security:	CVE-2009-1379
Obtained from:	OpenSSL CVS
		http://cvs.openssl.org/chngview?cn=18156
---
 ssl/d1_both.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 0c863179bc88..967d8c542ddb 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 
 	if ( s->d1->handshake_read_seq == frag->msg_header.seq)
 		{
+		unsigned long frag_len = frag->msg_header.frag_len;
 		pqueue_pop(s->d1->buffered_messages);
 
 		al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 		if (al==0)
 			{
 			*ok = 1;
-			return frag->msg_header.frag_len;
+			return frag_len;
 			}
 
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
-- 
cgit v1.2.3