commit 8a35dbb6d89a16d792b79b157b3e89443639ec94
author Matt Caswell <matt@openssl.org> Tue Nov 25 13:36:00 2014 +0000
committer Matt Caswell <matt@openssl.org> Wed Nov 26 10:10:21 2014 +0000
tree f226d18d416a24cd49f9d190d02f6f608da2bdf3
parent 3a0765882c4b3b67960b7efb203570764dd4ed29

Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask

PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>

ssl/d1_both.c

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index f2ff943..2324675 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -211,8 +211,7 @@
 	return frag;
 	}
 
-static void
-dtls1_hm_fragment_free(hm_fragment *frag)
+void dtls1_hm_fragment_free(hm_fragment *frag)
 	{
 
 	if (frag->msg_header.is_ccs)

ssl/d1_lib.c

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 5f7a358..ab8730c 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -187,16 +187,14 @@
     while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 
     while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 

ssl/ssl_locl.h

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 0600f37..c5de193 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1219,6 +1219,7 @@
 void dtls1_double_timeout(SSL *s);
 int dtls1_send_newsession_ticket(SSL *s);
 unsigned int dtls1_min_mtu(void);
+void dtls1_hm_fragment_free(hm_fragment *frag);
 
 /* some client-only functions */
 int ssl3_client_hello(SSL *s);