From 2e3539fccc844d1324da2dc2eb513bfe0a7244a6 Mon Sep 17 00:00:00 2001
From: miod <miod@openbsd.org>
Date: Sun, 18 May 2014 16:08:37 +0000
Subject: [PATCH] Make sure ssl3_setup_buffers() does not return upon error
 with a freed pqueue still chained, by inserting it into the list only after
 all possible failure conditions have been avoided.

Reported and fix proposed by David Ramos; ok beck@
---
 lib/libssl/d1_pkt.c         | 14 +++++++-------
 lib/libssl/src/ssl/d1_pkt.c | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c
index 5d3aaceac6f..df18e5bae37 100644
--- a/lib/libssl/d1_pkt.c
+++ b/lib/libssl/d1_pkt.c
@@ -247,13 +247,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 	}
 #endif
 
-	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL) {
-		free(rdata);
-		pitem_free(item);
-		return (0);
-	}
-
 	s->packet = NULL;
 	s->packet_length = 0;
 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
@@ -266,6 +259,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 		return (0);
 	}
 
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL) {
+		free(rdata);
+		pitem_free(item);
+		return (0);
+	}
+
 	return (1);
 }
 
diff --git a/lib/libssl/src/ssl/d1_pkt.c b/lib/libssl/src/ssl/d1_pkt.c
index 5d3aaceac6f..df18e5bae37 100644
--- a/lib/libssl/src/ssl/d1_pkt.c
+++ b/lib/libssl/src/ssl/d1_pkt.c
@@ -247,13 +247,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 	}
 #endif
 
-	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL) {
-		free(rdata);
-		pitem_free(item);
-		return (0);
-	}
-
 	s->packet = NULL;
 	s->packet_length = 0;
 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
@@ -266,6 +259,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 		return (0);
 	}
 
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL) {
+		free(rdata);
+		pitem_free(item);
+		return (0);
+	}
+
 	return (1);
 }
 
-- 
2.20.1