Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask

PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8a35dbb6d89a16d792b79b157b3e89443639ec94)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 6111047196273d641aa8b558bca1b975e4e191b3..97762b9cfd38e6326031e7d7c36be08f92bedfe0 100644 (file)
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -211,8 +211,7 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
        return frag;
        }
 
-static void
-dtls1_hm_fragment_free(hm_fragment *frag)
+void dtls1_hm_fragment_free(hm_fragment *frag)
        {
 
        if (frag->msg_header.is_ccs)

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 83db13e5715d2a0edfb253059139924c8e4a31d4..9f8b33b1931bb0076c9a0d3ec6a09f56a2d99596 100644 (file)
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -160,16 +160,14 @@ static void dtls1_clear_queues(SSL *s)
     while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 
     while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 2a80b8aff6d1635b08f3aacc52d6a9c2913fece0..cdf938569290f1c80ac7b01812c56dd076f8420e 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -964,6 +964,7 @@ int dtls1_is_timer_expired(SSL *s);
 void dtls1_double_timeout(SSL *s);
 int dtls1_send_newsession_ticket(SSL *s);
 unsigned int dtls1_min_mtu(void);
+void dtls1_hm_fragment_free(hm_fragment *frag);
 
 /* some client-only functions */
 int ssl3_client_hello(SSL *s);