Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362

author: David Ramos <daramos@stanford.edu> 2014-06-01 21:42:47 +0100
committer: Matt Caswell <matt@openssl.org> 2014-06-01 21:42:47 +0100
commit: 8343e6b6b245e38ea1584ece7c533e807709de5b (patch)
tree: e99f2c270c319bfc059574d7e278e10b9f5c46ee /ssl/d1_pkt.c
parent: f87c6a551e4098a1c71758d2738636b67a7013a7 (diff)
1 files changed, 8 insertions, 7 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index cbefaecf8f..5d0075cca8 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -231,13 +231,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 
 	item->data = rdata;
 
-	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL)
-		{
-		OPENSSL_free(rdata);
-		pitem_free(item);
-		return(0);
-		}
 
 	s->packet = NULL;
 	s->packet_length = 0;
@@ -251,6 +244,14 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 		pitem_free(item);
 		return(0);
 		}
+
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL)
+		{
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(0);
+		}
 	
 	return(1);
 	}
author	David Ramos <daramos@stanford.edu>	2014-06-01 21:42:47 +0100
committer	Matt Caswell <matt@openssl.org>	2014-06-01 21:42:47 +0100
commit	8343e6b6b245e38ea1584ece7c533e807709de5b (patch)
tree	e99f2c270c319bfc059574d7e278e10b9f5c46ee /ssl/d1_pkt.c
parent	f87c6a551e4098a1c71758d2738636b67a7013a7 (diff)