Revision 2172d4f63c61922487008f42511cc6bdae9b47a0 authored by Adam Langley on 06 June 2014, 21:19:21 UTC, committed by Matt Caswell on 06 August 2014, 19:27:51 UTC
The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
1 parent c34091d
Computing file changes ...
