When we are clearing the sent messages queue we should ensure we free any
old enc_write_ctx/write_hash that are no longer in use. Previously this
logic was in dtls1_hm_fragment_free() - but this can end up freeing the
current enc_write_ctx/write_hash under certain error conditions.
Fixes #22664
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)
while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
frag = (hm_fragment *)item->data;
+
+ if (frag->msg_header.is_ccs) {
+ /*
+ * If we're freeing the CCS then we're done with the old
+ * enc_write_ctx/write_hash and they can be freed
+ */
+ if (s->enc_write_ctx
+ != frag->msg_header.saved_retransmit_state.enc_write_ctx)
+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state
+ .enc_write_ctx);
+
+ if (s->write_hash
+ != frag->msg_header.saved_retransmit_state.write_hash)
+ EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state
+ .write_hash);
+ }
+
dtls1_hm_fragment_free(frag);
pitem_free(item);
}
SSL_SESSION_free(s->psksession);
OPENSSL_free(s->psksession_id);
- clear_ciphers(s);
-
ssl_cert_free(s->cert);
OPENSSL_free(s->shared_sigalgs);
/* Free up if allocated */
if (s->method != NULL)
s->method->ssl_free(s);
+ /*
+ * Must occur after s->method->ssl_free(). The DTLS sent_messages queue
+ * may reference the EVP_CIPHER_CTX/EVP_MD_CTX that are freed here.
+ */
+ clear_ciphers(s);
+
SSL_CTX_free(s->ctx);
ASYNC_WAIT_CTX_free(s->waitctx);
{
if (!frag)
return;
- if (frag->msg_header.is_ccs) {
- EVP_CIPHER_CTX_free(frag->msg_header.
- saved_retransmit_state.enc_write_ctx);
- EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash);
- }
+
OPENSSL_free(frag->fragment);
OPENSSL_free(frag->reassembly);
OPENSSL_free(frag);