diff options
| author | Richard Levitte <levitte@openssl.org> | 2017-01-28 15:14:07 +0100 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2017-01-28 19:08:14 +0100 |
| commit | 6f2de02624ec55d29f74c4c38994b56ec3250a10 (patch) | |
| tree | 4217eb7f254cb83c6a0685eb04e3465decbbf0b7 | |
| parent | a884c91d76db2eadd34f96936ccf029659dd5942 (diff) | |
Correct pointer to be freed
The pointer that was freed in the SSLv2 section of ssl_bytes_to_cipher_list
may have stepped up from its allocated position. Use a pointer that is
guaranteed to point at the start of the allocated block instead.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2312)
(cherry picked from commit 63414e64e66e376654e993ac966e3b2f9d849d3b)
| -rw-r--r-- | ssl/statem/statem_srvr.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index ad89e93b1e..fa8436140c 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3292,7 +3292,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, || (leadbyte != 0 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { *al = SSL_AD_INTERNAL_ERROR; - OPENSSL_free(raw); + OPENSSL_free(s->s3->tmp.ciphers_raw); s->s3->tmp.ciphers_raw = NULL; s->s3->tmp.ciphers_rawlen = 0; goto err; |