Fix double-free in TLS server name extensions which could lead to a remote

crash found by Codenomicon TLS test suite (CVE-2008-0891) Reviewed by: openssl-security@openssl.org Obtained from: jorton@redhat.com
author: Mark J. Cox <mark@openssl.org> 2008-05-28 07:26:33 +0000
committer: Mark J. Cox <mark@openssl.org> 2008-05-28 07:26:33 +0000
commit: d3b3a6d389c9824c80e503229ff2a6109031736f (patch)
tree: 59ad0500c75fa382cf5d11d30ba2b73fbad3a47c
parent: fc260b09a16442ed76ba34b77eacd4fdcbce93cb (diff)
2 files changed, 5 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 9c4559fa5a..9d4d7ee16c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]
 
+  *) Fix double free in TLS server name extensions which could lead to
+     a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 
+     [Joe Orton]
+
   *) Clear error queue in SSL_CTX_use_certificate_chain_file()
 
      Clear the error queue to ensure that error entries left from
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 93a4caa48e..35f04afa4a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -381,6 +381,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 						s->session->tlsext_hostname[len]='\0';
 						if (strlen(s->session->tlsext_hostname) != len) {
 							OPENSSL_free(s->session->tlsext_hostname);
+							s->session->tlsext_hostname = NULL;
 							*al = TLS1_AD_UNRECOGNIZED_NAME;
 							return 0;
 						}
author	Mark J. Cox <mark@openssl.org>	2008-05-28 07:26:33 +0000
committer	Mark J. Cox <mark@openssl.org>	2008-05-28 07:26:33 +0000
commit	d3b3a6d389c9824c80e503229ff2a6109031736f (patch)
tree	59ad0500c75fa382cf5d11d30ba2b73fbad3a47c
parent	fc260b09a16442ed76ba34b77eacd4fdcbce93cb (diff)