diff options
author | Matt Caswell <matt@openssl.org> | 2022-11-07 15:13:35 +0000 |
---|---|---|
committer | Hugo Landau <hlandau@openssl.org> | 2022-11-14 07:51:26 +0000 |
commit | 20c7febc860ae8e67f52912ee205d2e324e7beed (patch) | |
tree | e18a3949dc7b34432e754e1cf433bad575efb5d9 /ssl/record | |
parent | 22094d11a780f7485f0929ccfac806e0d02f82a9 (diff) |
Fix memory leak when freeing the DTLS record layer
We need to check whether the sent_messages has actually buffered any
messages in it. If not we won't free the old record layer later when we
clear out the old buffered messages and a memory leak will result.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19586)
Diffstat (limited to 'ssl/record')
-rw-r--r-- | ssl/record/methods/dtls_meth.c | 2 | ||||
-rw-r--r-- | ssl/record/rec_layer_s3.c | 11 |
2 files changed, 8 insertions, 5 deletions
diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index 7cd3d51976..858417d965 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -684,7 +684,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, err: if (ret != OSSL_RECORD_RETURN_SUCCESS) { - OPENSSL_free(*retrl); + dtls_free(*retrl); *retrl = NULL; } return ret; diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 9a4cd85389..dc0b8b3d9e 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1356,11 +1356,14 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, /* * Free the old record layer if we have one except in the case of DTLS when - * writing. In that case the record layer is still referenced by buffered - * messages for potential retransmit. Only when those buffered messages get - * freed do we free the record layer object (see dtls1_hm_fragment_free) + * writing and there are still buffered sent messages in our queue. In that + * case the record layer is still referenced by those buffered messages for + * potential retransmit. Only when those buffered messages get freed do we + * free the record layer object (see dtls1_hm_fragment_free) */ - if (!SSL_CONNECTION_IS_DTLS(s) || direction == OSSL_RECORD_DIRECTION_READ) { + if (!SSL_CONNECTION_IS_DTLS(s) + || direction == OSSL_RECORD_DIRECTION_READ + || pqueue_peek(s->d1->sent_messages) == NULL) { if (*thismethod != NULL && !(*thismethod)->free(*thisrl)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; |