From 724b1063fe45f812c6c49b2bd4e01ffac44b5cf7 Mon Sep 17 00:00:00 2001 From: jca Date: Thu, 27 Feb 2014 21:04:57 +0000 Subject: SECURITY fixes backported from openssl-1.0.1f. ok mikeb@ CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896 --- lib/libssl/src/ssl/d1_both.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lib/libssl/src/ssl/d1_both.c') diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c index de8bab873f2..72b3b20ae4e 100644 --- a/lib/libssl/src/ssl/d1_both.c +++ b/lib/libssl/src/ssl/d1_both.c @@ -214,6 +214,13 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) static void dtls1_hm_fragment_free(hm_fragment *frag) { + + if (frag->msg_header.is_ccs) + { + EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); + EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); + } + if (frag->fragment) OPENSSL_free(frag->fragment); if (frag->reassembly) OPENSSL_free(frag->reassembly); OPENSSL_free(frag); -- cgit v1.2.3-59-g8ed1b