Fix for SRTP Memory Leak CVE-2014-3513 This issue was reported to OpenSSL on 26th September 2014, based on an original issue and patch developed by the LibreSSL project. Further analysis of the issue was performed by the OpenSSL team. The fix was developed by the OpenSSL team. Reviewed-by: Tim Hudson <tjh@openssl.org>

commit: e659eff2c0ac6da05dd968a9354c9a69ca7f57b4 [log] [tgz]
author: Matt Caswell <matt@openssl.org> Wed Oct 15 01:03:32 2014 +0100
committer: Geoff Thorpe <geoff@openssl.org> Wed Oct 15 08:56:16 2014 -0400
tree: 22e1eb9a08f6ce53bdc1a3e4ce2d63c744a9e91d
parent: 0b382a8e8df7773e46d6e147d484a563d807cd77 [diff] [blame]
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d0602fb..879467c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1462,7 +1462,7 @@
 		ret += s->alpn_client_proto_list_len;
 		}
 
-        if(SSL_get_srtp_profiles(s))
+        if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
                 {
                 int el;
 
@@ -1642,7 +1642,7 @@
 		}
 #endif
 
-        if(s->srtp_profile)
+        if(SSL_IS_DTLS(s) && s->srtp_profile)
                 {
                 int el;
 
@@ -2433,7 +2433,8 @@
 			}
 
 		/* session ticket processed earlier */
-		else if (type == TLSEXT_TYPE_use_srtp)
+		else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
+				&& type == TLSEXT_TYPE_use_srtp)
                         {
 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
 							      al))
@@ -2776,7 +2777,7 @@
 				}
 			}
 #endif
-		else if (type == TLSEXT_TYPE_use_srtp)
+		else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
                         {
                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
 							      al))
commit	e659eff2c0ac6da05dd968a9354c9a69ca7f57b4	[log] [tgz]
author	Matt Caswell <matt@openssl.org>	Wed Oct 15 01:03:32 2014 +0100
committer	Geoff Thorpe <geoff@openssl.org>	Wed Oct 15 08:56:16 2014 -0400
tree	22e1eb9a08f6ce53bdc1a3e4ce2d63c744a9e91d
parent	0b382a8e8df7773e46d6e147d484a563d807cd77 [diff] [blame]