summaryrefslogtreecommitdiff
path: root/external/openssl/CVE-2014-3505.patch
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2014-10-17 11:07:59 +0100
committerAndras Timar <andras.timar@collabora.com>2014-10-17 06:23:22 -0700
commit2ae53ab6e6e8eee4384648ab8b40bba72ce746ba (patch)
treeed001823d7932838e2356390484e4f9d2dbcaf9a /external/openssl/CVE-2014-3505.patch
parentc1b850ed0ad3740fb7dc731f0f1bb49b7f5562d4 (diff)
CVE-2014-3566 (etc)
i.e. sync with fedora 20 openssl-1.0.1e security backports Change-Id: I9e07d3aad7f0c7a3fd684d4e52b3b952cfb2f82d
Diffstat (limited to 'external/openssl/CVE-2014-3505.patch')
-rw-r--r--external/openssl/CVE-2014-3505.patch52
1 files changed, 52 insertions, 0 deletions
diff --git a/external/openssl/CVE-2014-3505.patch b/external/openssl/CVE-2014-3505.patch
new file mode 100644
index 000000000000..69284d5fc230
--- /dev/null
+++ b/external/openssl/CVE-2014-3505.patch
@@ -0,0 +1,52 @@
+From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl@imperialviolet.org>
+Date: Fri, 6 Jun 2014 14:19:21 -0700
+Subject: [PATCH] Avoid double free when processing DTLS packets.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The |item| variable, in both of these cases, may contain a pointer to a
+|pitem| structure within |s->d1->buffered_messages|. It was being freed
+in the error case while still being in |buffered_messages|. When the
+error later caused the |SSL*| to be destroyed, the item would be double
+freed.
+
+Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
+inconsistent with the other error paths (but correct).
+
+Fixes CVE-2014-3505
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Emilia Käsper <emilia@openssl.org>
+---
+ ssl/d1_both.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index c1eb970..cdb83b6 100644
+--- a/a/ssl/d1_both.c
++++ b/b/ssl/d1_both.c
+@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
+- if (frag != NULL) dtls1_hm_fragment_free(frag);
+- if (item != NULL) OPENSSL_free(item);
++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
+ *ok = 0;
+ return i;
+ }
+@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
+- if ( frag != NULL) dtls1_hm_fragment_free(frag);
+- if ( item != NULL) OPENSSL_free(item);
++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
+ *ok = 0;
+ return i;
+ }
+--
+1.8.3.1
+