Prevent a possible use after free by mimicing the s3_srvr.c fixes contributed by

Adam Langley close to three years ago, which were commited in
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e7928282d0148af5f28fa3437a625a2006af0214

ok jsing@

diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c
index 6f1d436..848bc0f 100644 (file)
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.34 2014/07/28 04:23:12 guenther Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.35 2014/08/06 20:11:09 miod Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -1065,7 +1065,6 @@ dtls1_send_server_key_exchange(SSL *s)
                        }
 
                        if (s->s3->tmp.dh != NULL) {
-                               DH_free(dh);
                                SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
@@ -1110,8 +1109,6 @@ dtls1_send_server_key_exchange(SSL *s)
                        }
 
                        if (s->s3->tmp.ecdh != NULL) {
-                               EC_KEY_free(s->s3->tmp.ecdh);
-
                                SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                        }

diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c
index 6f1d436..848bc0f 100644 (file)
--- a/lib/libssl/src/ssl/d1_srvr.c
+++ b/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.34 2014/07/28 04:23:12 guenther Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.35 2014/08/06 20:11:09 miod Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -1065,7 +1065,6 @@ dtls1_send_server_key_exchange(SSL *s)
                        }
 
                        if (s->s3->tmp.dh != NULL) {
-                               DH_free(dh);
                                SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
@@ -1110,8 +1109,6 @@ dtls1_send_server_key_exchange(SSL *s)
                        }
 
                        if (s->s3->tmp.ecdh != NULL) {
-                               EC_KEY_free(s->s3->tmp.ecdh);
-
                                SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                        }