RT3774: double-free in DSA

[openssl.git] / ssl / record / ssl3_buffer.c

diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c
index 2ea55c8ba48dd77dbe3e1c9f40473bf0fabd96c0..66fb721b1de1174ba894812cf3167764c3a6326a 100644 (file)
--- a/ssl/record/ssl3_buffer.c
+++ b/ssl/record/ssl3_buffer.c
@@ -110,19 +110,32 @@
  */
 
 #include "../ssl_locl.h"
+#include "record_locl.h"
 
 void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, int n)
 {
-    if(d != NULL)
+    if (d != NULL)
         memcpy(b->buf, d, n);
     b->left = n;
     b->offset = 0;
 }
 
+/*
+ * Clear the contents of an SSL3_BUFFER but retain any memory allocated
+ */
+void SSL3_BUFFER_clear(SSL3_BUFFER *b)
+{
+    unsigned char *buf = b->buf;
+    size_t len = b->len;
+
+    memset(b, 0, sizeof(*b));
+    b->buf = buf;
+    b->len = len;
+}
+
 void SSL3_BUFFER_release(SSL3_BUFFER *b)
 {
-    if (b->buf != NULL)
-        OPENSSL_free(b->buf);
+    OPENSSL_free(b->buf);
     b->buf = NULL;
 }
 
@@ -160,7 +173,7 @@ int ssl3_setup_read_buffer(SSL *s)
         b->len = len;
     }
 
-    s->packet = &(b->buf[0]);
+    RECORD_LAYER_set_packet(&s->rlayer, &(b->buf[0]));
     return 1;
 
  err:
@@ -223,10 +236,8 @@ int ssl3_release_write_buffer(SSL *s)
 
     wb = RECORD_LAYER_get_wbuf(&s->rlayer);
 
-    if (wb->buf != NULL) {
-        OPENSSL_free(wb->buf);
-        wb->buf = NULL;
-    }
+    OPENSSL_free(wb->buf);
+    wb->buf = NULL;
     return 1;
 }
 
@@ -235,9 +246,7 @@ int ssl3_release_read_buffer(SSL *s)
     SSL3_BUFFER *b;
 
     b = RECORD_LAYER_get_rbuf(&s->rlayer);
-    if (b->buf != NULL) {
-        OPENSSL_free(b->buf);
-        b->buf = NULL;
-    }
+    OPENSSL_free(b->buf);
+    b->buf = NULL;
     return 1;
 }