diff options
author | David Ramos <daramos@stanford.edu> | 2014-06-01 21:42:47 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-06-01 21:42:47 +0100 |
commit | 8343e6b6b245e38ea1584ece7c533e807709de5b (patch) | |
tree | e99f2c270c319bfc059574d7e278e10b9f5c46ee /ssl/d1_pkt.c | |
parent | f87c6a551e4098a1c71758d2738636b67a7013a7 (diff) |
Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362
Diffstat (limited to 'ssl/d1_pkt.c')
-rw-r--r-- | ssl/d1_pkt.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index cbefaecf8f..5d0075cca8 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -231,13 +231,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) item->data = rdata; - /* insert should not fail, since duplicates are dropped */ - if (pqueue_insert(queue->q, item) == NULL) - { - OPENSSL_free(rdata); - pitem_free(item); - return(0); - } s->packet = NULL; s->packet_length = 0; @@ -251,6 +244,14 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) pitem_free(item); return(0); } + + /* insert should not fail, since duplicates are dropped */ + if (pqueue_insert(queue->q, item) == NULL) + { + OPENSSL_free(rdata); + pitem_free(item); + return(0); + } return(1); } |