From 60de554e4fbb80030358310d0f098b5214a5367a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 25 Nov 2014 13:36:00 +0000 Subject: [PATCH] Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask PR#3608 Reviewed-by: Tim Hudson (cherry picked from commit 8a35dbb6d89a16d792b79b157b3e89443639ec94) --- ssl/d1_both.c | 3 +-- ssl/d1_lib.c | 6 ++---- ssl/ssl_locl.h | 1 + 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 3819527e74..6132086d30 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -211,8 +211,7 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) return frag; } -static void -dtls1_hm_fragment_free(hm_fragment *frag) +void dtls1_hm_fragment_free(hm_fragment *frag) { if (frag->msg_header.is_ccs) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 25c58a8af9..a593c7859e 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -187,16 +187,14 @@ static void dtls1_clear_queues(SSL *s) while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL) { frag = (hm_fragment *)item->data; - OPENSSL_free(frag->fragment); - OPENSSL_free(frag); + dtls1_hm_fragment_free(frag); pitem_free(item); } while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL) { frag = (hm_fragment *)item->data; - OPENSSL_free(frag->fragment); - OPENSSL_free(frag); + dtls1_hm_fragment_free(frag); pitem_free(item); } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index f779af6aa3..ed0a1584b3 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1202,6 +1202,7 @@ int dtls1_is_timer_expired(SSL *s); void dtls1_double_timeout(SSL *s); int dtls1_send_newsession_ticket(SSL *s); unsigned int dtls1_min_mtu(void); +void dtls1_hm_fragment_free(hm_fragment *frag); /* some client-only functions */ int ssl3_client_hello(SSL *s); -- 2.34.1