if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field. If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)
unsigned char *buf = NULL;
unsigned char *bitmask = NULL;
- if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) {
+ if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return NULL;
}