[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Richard Levitte levitte at openssl.org
Sat Jan 28 18:08:20 UTC 2017


The branch OpenSSL_1_1_0-stable has been updated
       via  6f2de02624ec55d29f74c4c38994b56ec3250a10 (commit)
      from  a884c91d76db2eadd34f96936ccf029659dd5942 (commit)


- Log -----------------------------------------------------------------
commit 6f2de02624ec55d29f74c4c38994b56ec3250a10
Author: Richard Levitte <levitte at openssl.org>
Date:   Sat Jan 28 15:14:07 2017 +0100

    Correct pointer to be freed
    
    The pointer that was freed in the SSLv2 section of ssl_bytes_to_cipher_list
    may have stepped up from its allocated position.  Use a pointer that is
    guaranteed to point at the start of the allocated block instead.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2312)
    (cherry picked from commit 63414e64e66e376654e993ac966e3b2f9d849d3b)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/statem_srvr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index ad89e93..fa84361 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3292,7 +3292,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                     || (leadbyte != 0
                         && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
                 *al = SSL_AD_INTERNAL_ERROR;
-                OPENSSL_free(raw);
+                OPENSSL_free(s->s3->tmp.ciphers_raw);
                 s->s3->tmp.ciphers_raw = NULL;
                 s->s3->tmp.ciphers_rawlen = 0;
                 goto err;


More information about the openssl-commits mailing list