diff options
author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2017-03-10 15:10:41 +0100 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2017-03-10 14:07:53 -0500 |
commit | 13ed1afa923f4ffb553e389de08f26e9ce84e8a2 (patch) | |
tree | d7f352dbe547df41e1023aae8acd26f8b03d2919 /ssl | |
parent | a78d043b0db1e10ace2d777a837bd7e731a8ca6c (diff) |
Avoid questionable use of the value of a pointer that refers to space
deallocated by a call to the free function in tls_decrypt_ticket.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2897)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/t1_lib.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index afee12d60d..e102c24800 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3170,10 +3170,11 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, p = sdec; sess = d2i_SSL_SESSION(NULL, &p, slen); + slen -= p - sdec; OPENSSL_free(sdec); if (sess) { /* Some additional consistency checks */ - if (p != sdec + slen || sess->session_id_length != 0) { + if (slen != 0 || sess->session_id_length != 0) { SSL_SESSION_free(sess); return 2; } |