Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362

author: David Ramos <daramos@stanford.edu> 2014-06-01 21:28:41 +0100
committer: Matt Caswell <matt@openssl.org> 2014-06-01 21:40:25 +0100
commit: 8de85b00484e7e4ca6f0b6e174fb1dc97db91281 (patch)
tree: d401e3364685a987864534dd25c4a02cd10193c5 /ssl
parent: 8d7157414279fa2478fa0ddb160a77b8c2f2e4ce (diff)
1 files changed, 9 insertions, 9 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 6b51b8ec6e..43a09123f4 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 	}
 #endif
 
-	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL)
-		{
-		OPENSSL_free(rdata);
-		pitem_free(item);
-		return(0);
-		}
-
 	s->packet = NULL;
 	s->packet_length = 0;
 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
@@ -259,7 +251,15 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 		pitem_free(item);
 		return(0);
 		}
-	
+
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL)
+		{
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(0);
+		}
+
 	return(1);
 	}
author	David Ramos <daramos@stanford.edu>	2014-06-01 21:28:41 +0100
committer	Matt Caswell <matt@openssl.org>	2014-06-01 21:40:25 +0100
commit	8de85b00484e7e4ca6f0b6e174fb1dc97db91281 (patch)
tree	d401e3364685a987864534dd25c4a02cd10193c5 /ssl
parent	8d7157414279fa2478fa0ddb160a77b8c2f2e4ce (diff)